[cap-talk] Curious certificate expiration policy in Firefox

Mon Oct 8 14:46:03 EDT 2007

Hi Jack,

Wow, this is the specified behaviour!

Looks like you know where to find the corresponding spec words, could
you send along a URL? So far I've just been working off of Burton
Kaliski's "Layman's guide". It only documents the two digit year
syntax.

Thanks,
Tyler

On 10/8/07, Jack Lloyd <lloyd at randombit.net> wrote:
> On Mon, Oct 08, 2007 at 10:46:04AM -0700, Tyler Close wrote:
> > I was just playing with X.509 certificate generation and testing
> > against Firefox when I found some funny/strange behaviour.
> >
> > X.509 only uses two digits to represent the year that a certificate
> > expires. Consequently, there must be some sort of heuristic in the
> > client code to determine whether or not a certificate is really old,
> > or doesn't expire for a long time. In trying to figure out where the
> > limits are, I discovered that Firefox will assume that a certificate
> > that expires in '59 was issued before public key cryptography was
> > invented, rather than assume that it expires in 2059.
> >
> > I haven't pushed to find the exact limit, but so far a certificate
> > that expires before New Years in '49 will be assumed to be 2049.
>
> There are (at least) two time formats in ASN.1, one of which only
> provides a two digit year.
>
> PKIX (the IETF X.509 profile) specifies:
>
> """
> Conforming systems MUST interpret the year field (YY) as follows:
>
> Where YY is greater than or equal to 50, the year SHALL be
> interpreted as 19YY; and
>
> Where YY is less than 50, the year SHALL be interpreted as 20YY.
> """
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>

-- 
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/

Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/firefox/957/