On 2020-10-28 20:54, Ryan Sleevi wrote:
> On Wed, Oct 28, 2020 at 10:50 AM Jakob Bohm via dev-security-policy <
>
dev-secur...@lists.mozilla.org> wrote:
>
>> This aspect of RFC5280 section 4.1.2.5 is quite unusual in computing,
>> where the ends of intervals are typically encoded such that subtracting
>> the interval ends (as pure numbers) yields the interval length.
>>
>
>> = notBefore, <= notAfter is as classic as "< size - 1" in
> 0-indexed for-loops (i.e. a size of 1 indicates there's one element - at
> index 0), or "last - first" needs to add +1 if counting elements in a
> pointer range.
>
0-indexed for-loops typically use "< size" or "<= size - 1",
illustrating how hard it is to get such cases right.
>
>> As a data point, the reference CA code in the OpenSSL library,
>> version 1.1.0
>>
>
> Generates a whole bunch of completely invalid badness that is completely
> non-compliant, and is hardly a "reference" CA (c.f. the long time to switch
> to utf8only for DNs as just one of the basic examples)
The "ca" "app" inside the openssl command line tool is officially
defined as being "reference code only", not intended as an actual
production CA implementation, although many people have found it
useful as a component of low volume production CA implementations.
This "reference" or "sample" code and its sample configuration contains
comments as to what choices are compatible with older Mozilla code,
including that using UTF-8 strings in DNs would cause older Mozilla code
to fail.
ITU's X.509 (10/2012) doesn't seem to contain the sentence quoted and
seems to be completely silent as to the inclusive/exclusive
interpretation of the ends of the validity interval. And this doesn't
seem to change in corrigendum 2 from 04/2016.
> It helps to do research before casting aspersions or proposing to
> reinterpret meanings that are older than some members here.
>
The overarching problem is that some people love to do language
lawyering with the exact meanings of specifications, and strictly
enforcing every minute detail, such as the fact that RFC5280 from 2008
insists that these two ASN.1 fields should be interpreted as
"inclusive", while 398 days and 1 second is technically more than 398
days.