-
-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fractional seconds in ocsp.CertStatus #185
Comments
Hello! |
Quote from X.690 (§11.7.3):
So the
So in general it's fine to accept fractions. Only when creating X.509 objects, it's not. |
So a bit of code using ocspbuilder:
Run that (say it's called
and you get
|
Correct. The
Yup; and since a |
Also to point out: the |
There are several options here:
I don't think fraction support should be removed, because it's valid and someone might have a legitimate reason to encode them. Might be possible by adding a mixin similar like @wbond your thoughts on this? |
And that's fine - as long as the programmer knows it could create RFC violating objects (ie, just mention it in the docs)
I think that's what I would do. See which types embed types and are created out of PKIX RFCs and strip fractional seconds for them. It would even be possible to have an override flag which allows the fractional seconds, if the programmer wanted that behaviour.
Both useful.
Definitely helps to educate the programmer, but isn't it just as easy to remove the fraction component?
I don't think this is a good approach either. GeneralizedTime isn't defined from the PKIX RFCs, so the ability to timestamp fractions is useful. I can see a high accuracy timestamping service based on X.500 objects needing such precision. |
It sounds like the actionable items from this are:
I haven't spent any time looking to see if the TSP or CMS usage should allow fractional components. I probably won't in the near term, but if one of you has guidance or knowledge about that, I'd be happy to work on getting it fixed. |
Because
CertStatus
can take a revocation time, when setting that, might it be an idea to zero any fractional seconds which might exist in the nativedatetime
?RFC 6960's entry on
GeneralizedTime
refers back to RFC 5280, Section 4.1.2.5.2, which states:Of course, one can always just .replace(microsecond=0) on the
datetime
value one sets, but this might avoid the danger of creating OCSP Responses (and possibly CRLs, after 2050!) which violate the relevant RFCs.The text was updated successfully, but these errors were encountered: