Verifying iat without leeway may break with poorly synced clocks #319
Comments
matthewrudy
changed the title
|
ok, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I know this was raised on an earlier issue,
#247 (comment)
But I've only just tried to upgrade to 2.2.1,
and it breaks our tests because we did historically see iat verification errors due to clock sync issues between systems.
And using the
iat_leewaywas a solution for us.I can see that the RFC was the motivation for this change
#247 (comment)
So the RFC says we MUST verify the
nbfandexpclaimsand each of these MAY have a
leeway.https://tools.ietf.org/html/rfc7519#section-4.1.4
However it says nothing about verifying the
iatclaim.Just that it:
I believe the answer is to remove the
verify_iatmethod,and treat
iatas just a point of information, not a field to verify.As the RFC says:
https://tools.ietf.org/html/rfc7519#section-4.1.6
The text was updated successfully, but these errors were encountered: