[Users] [Bulk] Re: Certificate pop-up message

ratinox at gweep.net ratinox at gweep.net
Thu Oct 4 20:21:43 CEST 2012


On Thu, 4 Oct 2012 17:44:36 +0100
Kevin Chadwick <ma1l1ists at yahoo.co.uk> wrote:

> It certainly doesn't define that. In the case I have stated it is not
> expired it is mistakenly thought to have gone past the intended
> replacement date.

From RFC 6101 (SSL v3.0):

   certificate_expired:  A certificate has expired or is not currently
      valid.

"Expired" and "invalid" are synonymous in the SSL RFCs. The TLS RFCs
have a copy-paste of this definition. You can read the relevant  RFCs
for yourself to see how expired certificates are supposed to be
handled.


> His clock does work it's just forgotten the time.

A clock that never has the correct time is broken.

> Right, so you want him to pay fifty pounds to replace a battery in
> a laptop worth a hundred pounds.
[snip]

This is the second funniest thing I've seen today. The first is
Yahtzee's review of "Borderlands 2". Not only is your friend's computer
broken but it's stupidly designed as well. The suggestion that the IETF
and the Claws developers bend over to cater to it is absurd. It's not
happening.

The suggestion that NTP is no guarantee is even more absurd. I've
deployed and managed NTP in environments where milliseconds accuracy is
required. This on x86 hardware which is notorious for wildly inaccurate
real-time clocks. One of the nodes in one of my clusters had RTC drift
exceeding an hour a day but NTP kept the system time accurate to within
1-2 milliseconds.

Today I manage about 30 Xen user domains, none of which rely on
hardware clocks. They rely entirely on NTP and their kernel tickers for
managing wall clock time. I haven't been paying close attention to
their clocks because I only need sub-minute accuracy for my Kerberos
realm. None of the nodes running NTP ever have time problems.

My advice: Install NTP correctly on your friend's computer. And stop
ranting because the Claws developers aren't going to change their minds
about intentionally deploying broken behavior in the software they write
and maintain.

-- 
\m/ (--) \m/



More information about the Users mailing list