Cryptography Reference
In-Depth Information
One day your web services are connecting to one another as they should be; the
next day they're failing for no apparent reason with a “certifi cate expired” error
message buried in a log fi le somewhere. No certifi cate-based library I'm aware
of gives you any warning that a certifi cate is about to expire (as nice as that
would be).
One way to get around this is to have all certifi cates that protect program-
to-program services expire on the same day — for instance, you can have
all the test environment certifi cates expire on Feb. 1, and all the production
environment certifi cates expire on Mar. 1. This way, you'll get some warning
and when your test environment certifi cates start expiring and you'll know it's
time to start reissuing your production environment certifi cates.
How is validity represented in X.509, then?
Validity ::= SEQUENCE {
notBefore Time,
notAfter Time }
Time ::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime }
There are two
Time
values, each of which can either be a
UTCTime
or a
GeneralizedTime
. Each is a year, followed by a month, a day, an hour, a minute,
a second, and the letter Z. The only difference between the two is that general-
ized time uses a four-digit year and
UTCTime
a two-digit year. A
UTCTime
is 13
bytes long; a
GeneralizedTime
is 15. Lengths are discussed later in the chapter,
when representations are covered.
So, with a two-digit year, the client has to do a bit of detective work to fi gure out
if 35 expired a very, very long time ago, or if it will expire in 25 years. Because no
X.509 certifi cates were issued in 1935, it's safe to assume that a year of 35 means
2035. In fact, the specifi cation mandates that all certifi cates issued before 2050
must use
UTCTime
, so if the year is less than 50, it's in the 21st century. After the
year 2050, CA's are supposed to begin using
GeneralizedTime
, with a four-digit
year. However, having lived through the Y2K “crisis,” I have faith that computer
programmers will not actually fi x this two-digit year problem until a few years
before it actually does become a problem — sometime around the year 2080.
subject
subject Name
The subject, like the issuer, is a relative distinguished name. It includes an
optional number of identifying fi elds, hopefully enough to identify the subject
of the certifi cate. But, now that you mention it, who is the subject? If I have a
certifi cate that identifi es me, personally, the subject name (the
CN
fi eld) should
be my name, but if I'm connecting to a web site named
www.whizbang.com
, the
subject fi eld should identify that web site somehow.
Search WWH ::
Custom Search