[cap-talk] Curious certificate expiration policy in Firefox
David Hopwood
david.hopwood at industrial-designers.co.uk
Mon Oct 8 23:52:04 EDT 2007
Tyler Close wrote:
> I was just playing with X.509 certificate generation and testing
> against Firefox when I found some funny/strange behaviour.
>
> X.509 only uses two digits to represent the year that a certificate
> expires. Consequently, there must be some sort of heuristic in the
> client code to determine whether or not a certificate is really old,
> or doesn't expire for a long time. In trying to figure out where the
> limits are, I discovered that Firefox will assume that a certificate
> that expires in '59 was issued before public key cryptography was
> invented, rather than assume that it expires in 2059.
You're not the first to point that out:
<http://www.imc.org/ietf-pkix/old-archive-97/msg00266.html>
In any case, the window for two-digit years does need to be specified,
even if it's completely arbitrary.
--
David Hopwood <david.hopwood at industrial-designers.co.uk>
More information about the cap-talk
mailing list