[openssl-users] Doubt regarding O-SSL and setting the duration of certificates

Robert Moskowitz rgm at htt-consult.com
Wed Sep 13 20:36:50 UTC 2017 


On 09/13/2017 09:31 AM, Michael Richardson wrote:
> Robert Moskowitz <rgm at htt-consult.com> wrote:
>      > The devices never test out the lifetime of their certs. That is up to
>
> Exactly...
> (Do you think about the MacGyver/StarTrek/A-Team/Leverage/MissionImpossible
> plot line that goes along with each engineering decision?...)

Never was into watching TV.  Maybe saw half a dozen MI and maybe 4 - 5 
StarTrek, so I really can't answer this...  :)

>      > validating servers. And the iDevID is not really intended for operational
>      > use. Rather it is the security bootstrap for the lDevID. See the work being
>      > done in the ANIMA workgroup as an example of what to do with this. Michael
>      > Richardson, who recently joined this list is working on the related Internet
>      > Draft(s).
>
>      > I should test out a cert beyond 2038 on my armv7 32 bit Cubieboard. Will try
>      > that tomorrow....
>
>      > I HAVE made certs with this value and I am displaying their content. But that
>      > system is off right now. I will get one of the samples also tomorrow.
>
>      > And yes, the industry does need to think some about this...
>
> I suspect that the value: literal value 99991231235959Z will simply come to
> mean "the end of time", even after the year 10,000.  It has a well known
> DER encoding, and one can memcmp() it.
> Perhaps we will define an OID which means "no expiry", and start including
> that.  I don't think the expiry date is an optional part.

Nice thought.  Not really an option.

> I will also have example vouchers, voucher requests and ECDSA ("prime256v1")
> certs with known private keys (so you can replicate my work) for the ANIMA
> BRSKI document, perhaps next week.

Do we agree on the DN and SAN content per 802.1AR?  I am not entirely 
confident with my reading of what I contributed to!  Well at that time I 
left the cert profile to others.  I can send you a whole pki tree zipped 
up.  Do you have any 'live' specimens?


> I'd rather publish Curve25519/EdDSA examples, but it's too bleeding edge for the moment.

We wait until 1.1.1 ships.  But MAYBE we should be doing builds and 
testing now instead of after it ships...

> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [

Odds are it won't make a difference.

Bob

More information about the openssl-users mailing list