2

The RFC 4880, a document that describes the OpenPGP cryptography standard, finds its roots in RFC 2440, published in 1998 (that's sixteen years ago, supposedly before 64-bit systems emerged). Both specifications tell the same thing about how timestamps are handled:

3.5. Time Fields

A time field is an unsigned four-octet number containing the number of seconds elapsed since midnight, 1 January 1970 UTC.

Should one try to follow this RFC as closely as possible (and, here, face a sweet year 2038 bug one day)? Is it "risky" for a developer not to follow parts of standards/specifications/RFCs (especially when it comes to cryptography), when they are seen as potentially obsolete already?

I am a bit afraid of asking because the question sounds silly, but if I "implement RFC 4880" but in my own way, it is not the official thing any more. So, what is the best thing a developer should do against what she sees as "obsolete" parts of specifications? Nothing?

Improve this question

1 Answer 1

Reset to default
2

First: I think the example in your question is wrong. RFC4880 uses an unsigned 32-bit integer. The y2k38 problem is a problem for signed 32-bit integers. According to Wikipedia, unsigned 32-bit integers work until the year 2106. A little more time.

To answer your question: I think the best way is to get in contact with the RFC working group / the authors of the RFC and tell them about the obsolescence. Maybe, a follow-up RFC will fix that issue.

For your example, I think you can refrain from contacting the OpenPGP WG. I think, until 2106 there will be a lot of updates and I suspect V5 keys to have 8-octet time fields.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.