The X.509 certificate has a pair of times in it that delineate the valid period of the cert, and I'm checking that the system clock is within the bounds they define before permitting you to use the cert. I've been setting the expiry date to be 100 years in the future - by which time hopefully I won't have to worry about it - but occasionally clock skew means a freshly built kernel won't boot because the machine trying to boot doesn't think that the start time has been reached yet. Do we actually want to do this, however? Or should we just ignore the times? Or just the start time? Unfortunately, the ASN.1 says the field are mandatory, and openssl doesn't seem to give you a way to backdate the start time. David -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
