Re: Wrong system clock vs X.509 date specifiers

[Alan Cox]

On Tue, 25 Sep 2012 16:09:54 +0100
David Howells <dhowells@xxxxxxxxxx> wrote:

> 
> The X.509 certificate has a pair of times in it that delineate the valid
> period of the cert, and I'm checking that the system clock is within the
> bounds they define before permitting you to use the cert.  I've been setting
> the expiry date to be 100 years in the future - by which time hopefully I
> won't have to worry about it - but occasionally clock skew means a freshly
> built kernel won't boot because the machine trying to boot doesn't think that
> the start time has been reached yet.
> 
> Do we actually want to do this, however?  Or should we just ignore the times?
> Or just the start time?

Generate a certificate that is valid from a few minutes before the
wallclock time. It's a certificate policy question not a kernel hackery
one.

Be careful moving your system clock on 100 years and testing - ext4 gets
some timestamps wrong after 2038.

Alan


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/