[openssl-users] Doubt regarding O-SSL and setting the duration of certificates
rgm at htt-consult.com
Wed Sep 13 20:36:50 UTC 2017
On 09/13/2017 09:31 AM, Michael Richardson wrote:
> Robert Moskowitz <rgm at htt-consult.com> wrote:
> > The devices never test out the lifetime of their certs. That is up to
> (Do you think about the MacGyver/StarTrek/A-Team/Leverage/MissionImpossible
> plot line that goes along with each engineering decision?...)
Never was into watching TV. Maybe saw half a dozen MI and maybe 4 - 5
StarTrek, so I really can't answer this... :)
> > validating servers. And the iDevID is not really intended for operational
> > use. Rather it is the security bootstrap for the lDevID. See the work being
> > done in the ANIMA workgroup as an example of what to do with this. Michael
> > Richardson, who recently joined this list is working on the related Internet
> > Draft(s).
> > I should test out a cert beyond 2038 on my armv7 32 bit Cubieboard. Will try
> > that tomorrow....
> > I HAVE made certs with this value and I am displaying their content. But that
> > system is off right now. I will get one of the samples also tomorrow.
> > And yes, the industry does need to think some about this...
> I suspect that the value: literal value 99991231235959Z will simply come to
> mean "the end of time", even after the year 10,000. It has a well known
> DER encoding, and one can memcmp() it.
> Perhaps we will define an OID which means "no expiry", and start including
> that. I don't think the expiry date is an optional part.
Nice thought. Not really an option.
> I will also have example vouchers, voucher requests and ECDSA ("prime256v1")
> certs with known private keys (so you can replicate my work) for the ANIMA
> BRSKI document, perhaps next week.
Do we agree on the DN and SAN content per 802.1AR? I am not entirely
confident with my reading of what I contributed to! Well at that time I
left the cert profile to others. I can send you a whole pki tree zipped
up. Do you have any 'live' specimens?
> I'd rather publish Curve25519/EdDSA examples, but it's too bleeding edge for the moment.
We wait until 1.1.1 ships. But MAYBE we should be doing builds and
testing now instead of after it ships...
> ] Never tell me the odds! | ipv6 mesh networks [
Odds are it won't make a difference.
More information about the openssl-users