Re: [openssl-users] Custom lastUpdate in CRL

2016-09-09 Thread Jakob Bohm 

Interestingly, it is part of standard (automated) operations
here.  Specifically, we use it to verify that data from the
past was actually signed with certificates that were valid at
that (past) point in time.

It is not an ideal interface, but seems reliable in the
controlled environment where it is used.

On 09/09/2016 16:37, Rishi Pathak wrote:

Hi Jakob,
 Thanks. It solved my problem for now. I agree with your suggestion.
In our scenario this would be a regular thing for coming years and will
not be seen as standard way for operations.


On Fri, Sep 9, 2016 at 5:00 PM, Jakob Bohm > wrote:


On 09/09/2016 12:11, Rishi Pathak wrote:

Hi,
   For a reason we require lastUpdate to be set to a date
in the previous year, with
nextUpdate a year from now in our CRL. Search on google led me
to a patch which
allows use of startDate/endDate for CRL generation as well
apart from certificates.
Seems like 1.0-1 does not have it. Any pointers to how I can
achieve this using
OpenSSL(version) or another utility, preferably on Linux.

For such tasks, I currently use the faketime utility program
to run the openssl command line tool in a context with the
data artificially set to the desired time in the past.

I have previously suggested that an "as of" time argument
be added to certificate and signature validation operations,
and your use case suggests the same for issuance and signing
operations as well.

In fact, it seems the general solution (in future OpenSSL
updates) would be for all operations that use the "current
time/date" to accept an alternative value of that as an
argument.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Custom lastUpdate in CRL

2016-09-09 Thread Rishi Pathak 
Hi Jakob,
 Thanks. It solved my problem for now. I agree with your suggestion.
In our scenario this would be a regular thing for coming years and will
not be seen as standard way for operations.

--
Rishi Pathak

On Fri, Sep 9, 2016 at 5:00 PM, Jakob Bohm  wrote:

> On 09/09/2016 12:11, Rishi Pathak wrote:
>
>> Hi,
>>For a reason we require lastUpdate to be set to a date in the
>> previous year, with
>> nextUpdate a year from now in our CRL. Search on google led me to a patch
>> which
>> allows use of startDate/endDate for CRL generation as well apart from
>> certificates.
>> Seems like 1.0-1 does not have it. Any pointers to how I can achieve this
>> using
>> OpenSSL(version) or another utility, preferably on Linux.
>>
>> For such tasks, I currently use the faketime utility program
> to run the openssl command line tool in a context with the
> data artificially set to the desired time in the past.
>
> I have previously suggested that an "as of" time argument
> be added to certificate and signature validation operations,
> and your use case suggests the same for issuance and signing
> operations as well.
>
> In fact, it seems the general solution (in future OpenSSL
> updates) would be for all operations that use the "current
> time/date" to accept an alternative value of that as an
> argument.
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



-- 
-This message is sent with 100% recycled electrons---
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Custom lastUpdate in CRL

2016-09-09 Thread Jakob Bohm 

On 09/09/2016 12:11, Rishi Pathak wrote:

Hi,
   For a reason we require lastUpdate to be set to a date in the 
previous year, with
nextUpdate a year from now in our CRL. Search on google led me to a 
patch which
allows use of startDate/endDate for CRL generation as well apart from 
certificates.
Seems like 1.0-1 does not have it. Any pointers to how I can achieve 
this using

OpenSSL(version) or another utility, preferably on Linux.


For such tasks, I currently use the faketime utility program
to run the openssl command line tool in a context with the
data artificially set to the desired time in the past.

I have previously suggested that an "as of" time argument
be added to certificate and signature validation operations,
and your use case suggests the same for issuance and signing
operations as well.

In fact, it seems the general solution (in future OpenSSL
updates) would be for all operations that use the "current
time/date" to accept an alternative value of that as an
argument.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users