Dear all, is there a reason, why "openssl ts -verify" does not provide an "-attime" option, comparable to "openssl verify"? I have a timestamp response which was made in 2009 using a certificate which is now expired. Currently it is impossible to verify this timestamp using the command line tool, because verification fails with a "certificate expired" error. The error is thrown before any checks to the timestamped object (file or digest) are made. Detecting manipulations is therefore not possible. An -attime option should provide means to perform the certificate check at a chosen point in time when the certificate was still valid.
I'd suggest a patch, which introduces an -attime option (see https://github.com/fbroda/openssl/tree/fbroda_ts_date). I'm willing to make a pull request if there are no objections. Kind regards, Frank Broda _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
