On Thu, Jul 17, 2014 at 12:56:40AM -0400, Daniel Kahn Gillmor wrote:
> > You've declared "-days" to take only positive numbers, it should
> > allow negative numbers.
>
> why? Or at least: why accept these generally unacceptable options by
> default? I can understand wanting to be able to create perverse
> certificates to test validation stacks, but i don't think that the
> command line tool used by many people to create certs should be willing
> to create known bad certs without explicitly overriding a warning or
> something.
Command-line tools on unix systems do what they're told. The
resulting certificate is well-formed, and never valid. However
in some applications expiration checks are irrelevant (fingerprint
checks and the like), and a deliberately pre-expired certificate
may be a reasonable choice.
Higher-level tools can check the "days" argument before invoking
the openssl apps layer. It should not be necessary to write C code
to generate well-formed if corner-case certificates.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
