From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-ID: <5141F952.8000204@ahsoftware.de> Date: Thu, 14 Mar 2013 17:22:42 +0100 From: Alexander Holler MIME-Version: 1.0 To: David Woodhouse CC: David Howells , rusty@rustcorp.com.au, torvalds@linux-foundation.org, keyrings@linux-nfs.org, Josh Boyer , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH] X.509: Remove certificate date checks References: <20130314123413.13286.62117.stgit@warthog.procyon.org.uk> <1363265300.4853.37.camel@i7.infradead.org> In-Reply-To: <1363265300.4853.37.camel@i7.infradead.org> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: Am 14.03.2013 13:48, schrieb David Woodhouse: > On Thu, 2013-03-14 at 12:34 +0000, David Howells wrote: >> Remove the certificate date checks that are performed when a certificate is >> parsed. There are two checks: a valid from and a valid to. The first check is >> causing a lot of problems with system clocks that don't keep good time and the >> second places an implicit expiry date upon the kernel when used for module >> signing, so do we really need them? > > While the date check is entirely bogus for the specific case of module > signing, I don't think we necessarily ought to rip it out of our generic > X.509 support entirely. > > Some use cases *might* want to check the dates, and should be permitted > to do so. Just don't refuse to even *parse* the key outside its valid > date range... :) Agreed (thats what my patch did). I've introduced a new config option because I don't know if something (a use case I don't know) relies on the validity check of the dates in the parser. If there currently isn't such a user, just removing the validity check in the parser might be enough. Offering the parsed dates for later usage is still a good idea. Regards, Alexander