On Wed, 2015-07-22 at 14:58 +0000, Victor Wagner via RT wrote: > Isn't it better to check if certificate was valid at the time of > signing?
Is there a benefit to that which would make it worth the additional complexity? > Typically compiler somehow puts compilation timestamp into compiled > binaries. So, I think, this time should be used as argument to > X509_VERIFY_PARAM_set_time instead of wall clock time. For the UEFI build we try to avoid all non-repeatable things like that being included in the binaries. I'm still worrying about how to approach the patch at the end of the list¹ which removes all those instances of __FILE__ and __LINE__... I have a vague recollection of there being a discussion on this list about that, fairly recently, and I need to go back and find it. > Or, may be there is something like CMS signing attributes with > signing time. Did I not send the patch which fixes the OPENSSL_NO_CMS build yet? :) -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation ¹ http://git.infradead.org/users/dwmw2/openssl.git/commitdiff/b599f07d
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
