RE: Y2k-Problem in certificat-file index.txt?

Salter, Thomas A Tue, 9 Mar 1999 15:57:39 -0500
The x.509 definition allows either UTCtime or GeneralizedTime.
GeneralizedTime supports a 4-digit year.  The usual understanding is that
2-digit years in the range 50-99 should be interpreted as 1950-1999 and the
range 00-49 as 2000-2049.  This is documented in RFC2459 "Internet X.509
Public Key Infrastructure Certificate and CRL Profile", and also, I believe,
in an update to either the ASN.1 encoding standards or the X.509 standard.

Some quotes from rfc2459:

4.1.2.5  Validity
        ...
   CAs conforming to this profile MUST always encode certificate
   validity dates through the year 2049 as UTCTime; certificate validity
   dates in 2050 or later MUST be encoded as GeneralizedTime.

4.1.2.5.1  UTCTime
        ...
   For the purposes of this profile, UTCTime values MUST be expressed
   Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are
   YYMMDDHHMMSSZ), even where the number of seconds is zero.  Conforming
   systems MUST interpret the year field (YY) as follows:

      Where YY is greater than or equal to 50, the year shall be
      interpreted as 19YY; and

      Where YY is less than 50, the year shall be interpreted as 20YY.





 > -----Original Message-----
 > From: Russell Selph [mailto:[EMAIL PROTECTED]]
 > Sent: Tuesday, March 09, 1999 2:42 PM
 > To: [EMAIL PROTECTED]
 > Subject: RE: Y2k-Problem in certificat-file index.txt?
 > 
 > 
 > -----BEGIN PGP SIGNED MESSAGE-----
 > Hash: SHA1
 > 
 > 
 > Actually, as far as I can tell, it's an ASN.1 problem.  (And 
 > therefore an
 > X.509 problem.)  It looks like the ASN.1 UTCTIME type only 
 > supports two
 > digit years.  OPENSSL makes the assumption that any year 
 > less than 70 is
 > in the range 2000-2069, while any year greater than 69 is in 
 > the range
 > 1970-1999.
 > 
 > Can anyone shed light on whether this is part of the ASN.1 
 > standard for
 > UTCTIME?  Even better, does anyone know if any other kind of date is
 > useable in X.509 certs?  Do other packages use the same cutoff year?
 > 
 > Of course, we know that nobody will still be using this 
 > software in 2070,
 > so it shouldn't be a problem anyway.  Right?   Ahem.    :^O
 > 
 > Russ Selph - [EMAIL PROTECTED]
 > Architect, TIBCO Software Inc.
 > GnuPG Key Fingerprint: EAFF 6465 B6F9 1E67 81AB  7234 AE00 
 > 9E6A 8D36 FEF8
 > See http://www.pgp.net/ for key retrieval.
 > veni vidi gdb
 > 
 > On Tue, 9 Mar 1999, Yuriy Stul wrote:
 > 
 > > Date: Tue, 9 Mar 1999 16:35:22 +0200
 > > From: Yuriy Stul <[EMAIL PROTECTED]>
 > > Reply-To: [EMAIL PROTECTED]
 > > To: [EMAIL PROTECTED]
 > > Subject: RE: Y2k-Problem in certificat-file index.txt?
 > > 
 > > Hello,
 > >    I think it is not problem only for SSLeay or OpenSSL. 
 > It is problem for
 > > MSIE and Netscape too.
 > > 
 > > Yuriy Stul.
 > > 
 > > > -----Original Message-----
 > > > From: [EMAIL PROTECTED]
 > > > [mailto:[EMAIL PROTECTED]]On Behalf Of 
 > Axel Findling
 > > > Sent: Tuesday, March 09, 1999 3:03 PM
 > > > To: [EMAIL PROTECTED]
 > > > Subject: Y2k-Problem in certificat-file index.txt?
 > > >
 > > >
 > > > Hello,
 > > >
 > > > the certificat-dates (expiring and revokation) in the file
 > > > index.txt have only 2 digits for the year.
 > > > example:
 > > >
 > > > V        001231171617Z           00      ....
 > > > R        991231171617Z   990308171617Z   01      ....
 > > > ...
 > > >
 > > >
 > > > I don't think that's fine - but is it a Y2k-problem in
 > > > OpenSSL0.9.1c(patched) ??
 > > >
 > > > In the certificates (TXT-form) the dates have four
 > > > digits for the year so why there are only 2 digits used 
 > in index.txt?
 > > >
 > > > thanks for comments..
 > > >
 > > > Axel Findling
 > > > 
 > --------------------------------------------------------------------
 > > > Dr. Axel Findling  --  Webmaster  --  
 > Leibniz-Rechenzentrum Muenchen
 > > >        http://www.lrz-muenchen.de/persons/axel_findling.html
 > > >
 > > > 
 > _____________________________________________________________
 > _________
 > > > OpenSSL Project                                 
http://www.openssl.org
> > User Support Mailing List                    [EMAIL PROTECTED]
> > Automated List Manager                           [EMAIL PROTECTED]
> >
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE25XlvrgCeao02/vgRAohKAKCGNWtQFAlOC8SEl3fzNZFPezIJiACgqVmS
342UeZo23baoaqmJdCswKCs=
=4nOP
-----END PGP SIGNATURE-----

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
RE: Y2k-Problem in certificat-file index.txt?

Reply via email to
