Tomas Mraz wrote: >> I already have a patch to provide for verifying the signature at >> signature time. Shall I send a pull request? > Yes, sure. That sounds like "If you send the PR, we will merge it". I think that would be a _terrible_ idea. To repeat what has been said before: unless the signature date is signed by a trusted timestamping authority, it must be assumed to be attacker controlled. Unless the patch includes code to verify the signature date, it would be a mistake to include it by default. OTOH, a patch to verify signature dates and if valid, use them, would be wonderful. Martin Bonner Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
