From: Alexander Holler <holler@ahsoftware.de>
To: David Woodhouse <dwmw2@infradead.org>
Cc: David Howells <dhowells@redhat.com>,
rusty@rustcorp.com.au, torvalds@linux-foundation.org,
keyrings@linux-nfs.org, Josh Boyer <jwboyer@redhat.com>,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] X.509: Remove certificate date checks
Date: Thu, 14 Mar 2013 18:42:29 +0100 [thread overview]
Message-ID: <51420C05.30206@ahsoftware.de> (raw)
In-Reply-To: <1363280964.4853.89.camel@i7.infradead.org>
Am 14.03.2013 18:09, schrieb David Woodhouse:
> On Thu, 2013-03-14 at 17:22 +0100, Alexander Holler wrote:
>>
>> Agreed (thats what my patch did).
>>
>> I've introduced a new config option because I don't know if something (a
>> use case I don't know) relies on the validity check of the dates in the
>> parser. If there currently isn't such a user, just removing the validity
>> check in the parser might be enough.
>
> Is there *is* such a user, it's broken already. The key could have been
> loaded (and passed the existing check) *months* ago, expired seconds
> after it was loaded, and your hypothetical user could still be happily
> trusting it.
As the user (program or whatever) calls the parser, he knows if he can
trust it to validate dates. So there might be something for which the
current implementation works (parsing date = using date).
I just don't know, because I've only discovered that glitch while trying
to use modsign to be sure no unsigned module (I've compiled myself) will
be become loaded (I compile the kernel and delete the keys right
afterwards). So I don't know anything if and how the crypto-api to load
x.509 keys is used besides modsign. ;)
Regards,
Alexander
prev parent reply other threads:[~2013-03-14 17:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-14 12:34 [PATCH] X.509: Remove certificate date checks David Howells
2013-03-14 12:48 ` David Woodhouse
2013-03-14 16:22 ` Alexander Holler
2013-03-14 17:09 ` David Woodhouse
2013-03-14 17:42 ` Alexander Holler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51420C05.30206@ahsoftware.de \
--to=holler@ahsoftware.de \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=jwboyer@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).