The change will be reviewed and discussed when the PR is created in the GitHub. There is no point in discussing hypotetical contents of a patch here. Regards, Tomas Mraz, OpenSSL On Fri, 2024-02-09 at 08:29 +0000, Martin Bonner via openssl-users wrote: > Tomas Mraz wrote: > > > I already have a patch to provide for verifying the signature at > > > signature time. Shall I send a pull request? > > > Yes, sure. > > That sounds like "If you send the PR, we will merge it". I think > that would be > a _terrible_ idea. To repeat what has been said before: unless the > signature > date is signed by a trusted timestamping authority, it must be > assumed to be > attacker controlled. > > Unless the patch includes code to verify the signature date, it would > be a > mistake to include it by default. > > OTOH, a patch to verify signature dates and if valid, use them, would > be > wonderful. > > Martin Bonner > Any email and files/attachments transmitted with it are intended > solely for the use of the individual or entity to whom they are > addressed. If this message has been sent to you in error, you must > not copy, distribute or disclose of the information it contains. > Please notify Entrust immediately and delete the message from your > system. -- Tomáš Mráz, OpenSSL