On Wed, 22 Jul 2015 13:09:48 +0000 "Woodhouse, David via RT" <r...@openssl.org> wrote:
> There are various circumstances in which it makes no sense to be > checking the start and end times of a certificate's validity. > > When validating OS kernel drivers, or indeed when validating the OS > kernel itself when the firmware loads it, we *really* don't want to > have a built-in obsolescence date after which the system will no > longer function. That would be a bad thing even if we *could* > reliably trust the system's real time clock at this stage in the boot > sequence. Isn't it better to check if certificate was valid at the time of signing? Typically compiler somehow puts compilation timestamp into compiled binaries. So, I think, this time should be used as argument to X509_VERIFY_PARAM_set_time instead of wall clock time. Or, may be there is something like CMS signing attributes with signing time. s _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev