[openssl-users] in the department of "ain't no perfect"

Hubert Kario hkario at redhat.com
Fri Jan 18 18:18:05 UTC 2019

On Friday, 18 January 2019 05:45:11 CET Jakob Bohm via openssl-users wrote:
> On 16/01/2019 21:25, Viktor Dukhovni wrote:
> >> On Jan 15, 2019, at 10:29 AM, Eliot Lear <lear at ofcourseimright.com>
> > The naïve model of using the signer and recipient keys as long-term
> > verification and decryption keys is deeply flawed for data retention.
> > This is a bit part of the reason why end-to-end email encryption has
> > negligible adoption, the storage infrastructure to make it usable was
> > never built.
> As explained above, most of that storage infrastructure is in
> fact in place, but the major e-mail clients lack the code to use
> it.  For example the "openssl cms" command (used by some unix mail
> clients, such as Mutt) doesn't have an option to specify the "as of"
> date extracted from an external trusted source.

it does in newer versions (it is definitely present in 1.1.0i):
 -attime intmax             verification epoch time

> Nor does it have
> an option to input a recorded OCSP response or CRL to be validated
> and used according to that "as of" date.

that's true

Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190118/2cdd56c4/attachment.sig>

More information about the openssl-users mailing list