[botan-devel] Sanity check currently ends on year 2100

Jack Lloyd lloyd at randombit.net
Thu Apr 5 11:01:08 EDT 2012


On Thu, Apr 05, 2012 at 11:54:32AM +0200, Ondrej Spanel wrote:
> Hello,
> 
> the function X509_Time::passes_sanity_check currently considers all 
> dates after 2100 to be "insane". The date seems quite close to me, and 
> actually there already exist certificates which have expiry set to over 
> 2100. One example are local self signed file encryption certificates of 
> Microsoft Windows file system, which are issued to expire after 100 
> years, i.e. a certificate you will get if you install a new user account 
> today will have the expire date in 2112.

Hah! Wow, keeping a cert for 100 years seems more that a little
ambitious. And I wouldn't want to put any odds on any key remaining
secure for that long, 100 years is a long time in Moore's Law
Land. But I suppose there is no reason to reject them out of hand.

GeneralizedTime has a absolute max year value of 9999, so no valid
ASN.1 date could be more than that. I will probably limit to 2200
though.

Can you send me an example of one of these certificates to test against?

-Jack



More information about the botan-devel mailing list