[openssl-users] in the department of "ain't no perfect"

Charles Mills charlesm at mcn.org
Wed Jan 16 20:04:07 UTC 2019

Temporary solutions that "work" tend to become permanent solutions.

That's how products end up shipping with hard-coded admin passwords or similar back doors.


-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Hubert Kario
Sent: Wednesday, January 16, 2019 6:47 AM
To: Eliot Lear
Cc: openssl-users at openssl.org
Subject: Re: [openssl-users] in the department of "ain't no perfect"

On Wednesday, 16 January 2019 13:22:53 CET Eliot Lear wrote:
> Hi Hubert
> On 16.01.19 12:27, Hubert Kario wrote:
> > For maintaining signatures that need to be valid long into the 
> > future standards like CAdES should be used. They keep time of 
> > signing in timestamps signed by trusted time-stamping authorities, 
> > along with the rest of revocation data necessary to verify the original signature.
> Understood.  At this point in the maturity cycle of the technology, 
> we're just not there yet.  My choices are, have people ignore invalid 
> signatures in their entirety or provide something more nuanced for now.

you don't have to start with implementing the full CAdES-LTA, you can start with just adding support for timestamping, the CAdES-T

using time from the signature to verify it is as good as ignoring the certificate expiration date - if you need to make the signatures verifiable now, do that, not use the false sense of security of using easily fakeable date

More information about the openssl-users mailing list