Re: Millenium and 37 bug

Tue, 4 Jan 2000 04:17:08 -0800 

Rodney Thayer wrote:
> 
> you should be able to go to at least 2049, as the PKIX limit
> is around 2050.  I know some vendors have tested this.

PKIX is not limited to 2050, it simply changes format at that point. The
problem is, presumably, that the date calculation is not carried out in
an appropriate size of number.

Cheers,

Ben.

> 
> At 06:28 PM 1/3/00 +0000, Andrew Cooke wrote:
> 
> >Hi,
> >
> >Not really a open-ssl bug, but it's interesting and I'm curious to hear
> >how people will be dealing with it: has anyone tried to make a
> >certificate that lasts for the next century?  We tried (just because we
> >were fed up with test certificates expiring) and found that we couldn't
> >get past 2037, presumably because that's when "unix time" runs out of
> >bits (although this was on NT).
> >
> >Presumably the fix is to link against a library which has t_time defined
> >as something larger (or at least unsigned) - does such a library exist?
> >
> >As CRLs and certificate chaining become more popular, it seems, to me,
> >that having long-lasting certificates will be more important - so I
> >don't think ignoring the problem is the best solution....
> >
> >Andrew
> >
> >______________________________________________________________________
> >OpenSSL Project                                 http://www.openssl.org
> >User Support Mailing List                    [EMAIL PROTECTED]
> >Automated List Manager                           [EMAIL PROTECTED]
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]

--
SECURE HOSTING AT THE BUNKER! http://www.thebunker.net/hosting.htm

http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to