On Thu, 2013-03-14 at 12:34 +0000, David Howells wrote: > Remove the certificate date checks that are performed when a certificate is > parsed. There are two checks: a valid from and a valid to. The first check > is > causing a lot of problems with system clocks that don't keep good time and the > second places an implicit expiry date upon the kernel when used for module > signing, so do we really need them?
While the date check is entirely bogus for the specific case of module signing, I don't think we necessarily ought to rip it out of our generic X.509 support entirely. Some use cases *might* want to check the dates, and should be permitted to do so. Just don't refuse to even *parse* the key outside its valid date range... :) -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
