undefined | Better HN

0 pointsryanlol8y ago0 comments

So instead of trying to conform to the x.509 spec MS should have just developed their own certificate validation scheme, because that would totally be less of a "footgun" than conforming to the spec.

Am I getting this right?

Why aren't we blaming the people behind RFC5280, after all it was them who came up with this awful idea that certificates should expire.

>giant footgun

oh dear god how are you generating your certificates? This is not a footgun unless you are doing something immeasurably stupid before even involving MS products.

Besides, if you insist on going ahead and setting the Not After field, wouldn't it be a bigger footgun to ignore that?

0 comments

lclarkmichalek8y ago

FWIW, there are basically no common implementations that fully conform to the x.509 spec. That thing is a bundle of unimplemented features.

ryanlolOP8y ago

Hence "trying to" :)

However, I'd argue that disregarding the Validity section would be an unusually big departure from the spec, not comparable to the typical silliness surrounding x.509.

j / k navigate · click thread line to collapse