Re: [dane] "Name Checks are not appropriate for CU=3" (Martin Rex) Sat, 18 January 2014 00:14 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 99EDD1AD8EF for <>; Fri, 17 Jan 2014 16:14:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id J4rbCAAxlqxr for <>; Fri, 17 Jan 2014 16:14:39 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 862BA1AD8ED for <>; Fri, 17 Jan 2014 16:14:38 -0800 (PST)
Received: from by (26) with ESMTP id s0I0EPR3010001 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <>; Sat, 18 Jan 2014 01:14:25 +0100 (MET)
In-Reply-To: <>
Date: Sat, 18 Jan 2014 01:14:25 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <>
From: (Martin Rex)
X-SAP: out
Subject: Re: [dane] "Name Checks are not appropriate for CU=3"
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 18 Jan 2014 00:14:41 -0000

Martin Rex wrote:
> Your example populated the "notbefore" and "notafter" members with
> conflicting values (i.e. notafter>notbefore).  This may needlessly
> create a problem with implementations that check notbefore/notafter
> even for trust anchors.

Ooops, typo, I meant (notbefore>notafter) is bogus:

> issuer= /CN=*
> notBefore=Jan 17 06:18:09 2014 GMT
> notAfter=Jan 16 06:18:09 2014 GMT
> subject= /CN=*

When I've been creating self-signed certs in the past,
then with "notBefore" set to "now minus 24hours" and
"notAfter" set to Jan 1, 2038.  The latter to reduce potential
interop problems with older 32-bit PKIX implementations that may
try to convert the date into a 32-bit time_t value on ASN.1 decode.

One of these days I will have to change the code to use
a notafter "Dec 1, 2049" (so that it still encodes as UTCTime rather
than GeneralizedTime), and maybe in 10 years it will be safe to
use a value like "Dec 1, 2999".


PS: if anyone is wondering why the "year 3000" avoidance:
    I'm just trying to be conservative in what I send out, and I've
    encountered one platform where the vendor decided that a C89
    program which passes a (64-bit) time_t that represents a date
    after 23:59:59, December 31, 3000 to some of the C89 time-related
    functions such as gmtime() should be crashed (i.e. fatally terminated)
    rather than see the behaviour described in the C89 specification.