Re: [PATCH] X.509: Remove certificate date checks

From: David Woodhouse
Date: Thu Mar 14 2013 - 08:48:36 EST

Next message: Philip, Avinash: "RE: [PATCH 1/3] pwm: davinci: Add Kconfig support for ECAP & EHRPWMdevices"
Previous message: Vivek Gautam: "[PATCH v2 1/2] usb: dwc3: exynos: Use of_platform API to create dwc3core pdev"
In reply to: David Howells: "[PATCH] X.509: Remove certificate date checks"
Next in thread: Alexander Holler: "Re: [PATCH] X.509: Remove certificate date checks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2013-03-14 at 12:34 +0000, David Howells wrote:
> Remove the certificate date checks that are performed when a certificate is
> parsed. There are two checks: a valid from and a valid to. The first check is
> causing a lot of problems with system clocks that don't keep good time and the
> second places an implicit expiry date upon the kernel when used for module
> signing, so do we really need them?

While the date check is entirely bogus for the specific case of module
signing, I don't think we necessarily ought to rip it out of our generic
X.509 support entirely.

Some use cases *might* want to check the dates, and should be permitted
to do so. Just don't refuse to even *parse* the key outside its valid
date range... :)

--
David Woodhouse Open Source Technology Centre
David.Woodhouse@xxxxxxxxx Intel Corporation

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Next message: Philip, Avinash: "RE: [PATCH 1/3] pwm: davinci: Add Kconfig support for ECAP & EHRPWMdevices"
Previous message: Vivek Gautam: "[PATCH v2 1/2] usb: dwc3: exynos: Use of_platform API to create dwc3core pdev"
In reply to: David Howells: "[PATCH] X.509: Remove certificate date checks"
Next in thread: Alexander Holler: "Re: [PATCH] X.509: Remove certificate date checks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]