Re: [PATCH] X.509: Remove certificate date checks

From: David Woodhouse
Date: Thu Mar 14 2013 - 13:09:47 EST


On Thu, 2013-03-14 at 17:22 +0100, Alexander Holler wrote:
>
> Agreed (thats what my patch did).
>
> I've introduced a new config option because I don't know if something (a
> use case I don't know) relies on the validity check of the dates in the
> parser. If there currently isn't such a user, just removing the validity
> check in the parser might be enough.

Is there *is* such a user, it's broken already. The key could have been
loaded (and passed the existing check) *months* ago, expired seconds
after it was loaded, and your hypothetical user could still be happily
trusting it.

> Offering the parsed dates for later usage is still a good idea.

Right.

--
dwmw2

Attachment: smime.p7s
Description: S/MIME cryptographic signature