[botan-devel] Sanity check currently ends on year 2100
lloyd at randombit.net
Thu Apr 5 11:01:08 EDT 2012
On Thu, Apr 05, 2012 at 11:54:32AM +0200, Ondrej Spanel wrote:
> the function X509_Time::passes_sanity_check currently considers all
> dates after 2100 to be "insane". The date seems quite close to me, and
> actually there already exist certificates which have expiry set to over
> 2100. One example are local self signed file encryption certificates of
> Microsoft Windows file system, which are issued to expire after 100
> years, i.e. a certificate you will get if you install a new user account
> today will have the expire date in 2112.
Hah! Wow, keeping a cert for 100 years seems more that a little
ambitious. And I wouldn't want to put any odds on any key remaining
secure for that long, 100 years is a long time in Moore's Law
Land. But I suppose there is no reason to reject them out of hand.
GeneralizedTime has a absolute max year value of 9999, so no valid
ASN.1 date could be more than that. I will probably limit to 2200
Can you send me an example of one of these certificates to test against?
More information about the botan-devel