• State Verified Answer
  • Replies 2 replies
  • Subscribers 90 subscribers
  • Views 110 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 360977
Options

ALIRO: ValidityInfo — is signed < validFrom meant to be rejected?

Jason

Hi guys,

I'm hitting an error with the current Aliro 1.0.0 lib.

When a credential is signed today but its validFrom is in the future (e.g. signed=2026-06-17, validFrom=2026-06-29) and the card is tapped within the validity window, the lib rejects it:


ALIRO: Signed timestamp is before validFrom timestamp
ALIRO: Failed to verify signed items

The lib appears to require signed >= validFrom. But ISO/IEC 18013-5 ValidityInfo states "validFrom shall be equal or later than the signed element", so signed < validFrom is the normal case for pre-provisioned credentials.

A few questions:

Is rejecting signed < validFrom intentional? If so, which spec or profile requires it?
If not, can the check be updated to allow a future-dated validFrom?

Thanks

Parents
  • +1

    Hello,

    I got a confirmation that this is indeed a bug. Our Aliro team says:

    -------------------------

    We need to relax the validity verification. It will be fixed in the 1.1.0 release. The Aliro spec only says that "The 'signed' date is within the validity period of the certificate in the Issuer_Cert (if applicable).", but the signed date of the credential can definitely be set to time before the ValidFrom.

    -------------------------

    I don't have a timeline for when 1.1.0 will be released. For timeline questions, please contact our sales department. If you don't have their contact information, please send me a DM here on DevZone, where you link to this ticket and verify your location (country), and I will find the correct contact information.

    Best regards,

    Edvin

Reply
  • +1

    Hello,

    I got a confirmation that this is indeed a bug. Our Aliro team says:

    -------------------------

    We need to relax the validity verification. It will be fixed in the 1.1.0 release. The Aliro spec only says that "The 'signed' date is within the validity period of the certificate in the Issuer_Cert (if applicable).", but the signed date of the credential can definitely be set to time before the ValidFrom.

    -------------------------

    I don't have a timeline for when 1.1.0 will be released. For timeline questions, please contact our sales department. If you don't have their contact information, please send me a DM here on DevZone, where you link to this ticket and verify your location (country), and I will find the correct contact information.

    Best regards,

    Edvin

Children
No Data
Related
Terms of service