Martin Rex wrote:
>
> Your example populated the "notbefore" and "notafter" members with
> conflicting values (i.e. notafter>notbefore). This may needlessly
> create a problem with implementations that check notbefore/notafter
> even for trust anchors.
Ooops, typo, I meant (notbefore>notafter) is bogus:
>
> issuer= /CN=*
> notBefore=Jan 17 06:18:09 2014 GMT
> notAfter=Jan 16 06:18:09 2014 GMT
> subject= /CN=*
When I've been creating self-signed certs in the past,
then with "notBefore" set to "now minus 24hours" and
"notAfter" set to Jan 1, 2038. The latter to reduce potential
interop problems with older 32-bit PKIX implementations that may
try to convert the date into a 32-bit time_t value on ASN.1 decode.
One of these days I will have to change the code to use
a notafter "Dec 1, 2049" (so that it still encodes as UTCTime rather
than GeneralizedTime), and maybe in 10 years it will be safe to
use a value like "Dec 1, 2999".
-Martin
PS: if anyone is wondering why the "year 3000" avoidance:
I'm just trying to be conservative in what I send out, and I've
encountered one platform where the vendor decided that a C89
program which passes a (64-bit) time_t that represents a date
after 23:59:59, December 31, 3000 to some of the C89 time-related
functions such as gmtime() should be crashed (i.e. fatally terminated)
rather than see the behaviour described in the C89 specification.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
