| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7237.1432216752@warthog.procyon.org.uk> Date: Thu, 21 May 2015 14:59:12 +0100 From: David Howells <dhowells@...hat.com> To: Andy Lutomirski <luto@...capital.net> Cc: dhowells@...hat.com, Andy Lutomirski <luto@...nel.org>, Rusty Russell <rusty@...tcorp.com.au>, Michal Marek <mmarek@...e.cz>, Matthew Garrett <mjg59@...f.ucam.org>, keyrings@...ux-nfs.org, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Luis Rodriguez <mcgrof@...e.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Seth Forshee <seth.forshee@...onical.com>, LSM List <linux-security-module@...r.kernel.org>, David Woodhouse <dwmw2@...radead.org> Subject: Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Andy Lutomirski <luto@...capital.net> wrote: > That being said, are you actually planning on implementing X.509 chain > validation correctly? ISTM you can't really do it usefully, as we > don't even know what time it is when we run this code. We can't validate certificates based on time. We've been there, tried that and patched it out again. The problem is that we can't trust the system clock until we've done NTP - and possibly not even then. A dodgy or unset system clock can lead to the system not booting, even for installation. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists