[cap-talk] Curious certificate expiration policy in Firefox

[Tyler Close]

I was just playing with X.509 certificate generation and testing
against Firefox when I found some funny/strange behaviour.

X.509 only uses two digits to represent the year that a certificate
expires. Consequently, there must be some sort of heuristic in the
client code to determine whether or not a certificate is really old,
or doesn't expire for a long time. In trying to figure out where the
limits are, I discovered that Firefox will assume that a certificate
that expires in '59 was issued before public key cryptography was
invented, rather than assume that it expires in 2059.

I haven't pushed to find the exact limit, but so far a certificate
that expires before New Years in '49 will be assumed to be 2049.

--Tyler

-- 
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/

Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/firefox/957/