All, I'm working an application of COSE [1] with the expectation of using X509 certificates for data signing, so using the "x5." header parameters [2] for cert identification. This application is for store-and-forward data that may have a lifetime of days, weeks, or longer so similar to S/MIME in some aspects.
The issue I'm running into is how to handle the validity time period of a certificate chain. Although S/MIME includes a "signing time" attribute [3] there is no guidance in that spec about if, or how, it would be used as part of PKIX validation or how to interpret or process certificate validity time intervals differently than in RFC 5280 [4], which mandates validation based on the current time. Using the current time doesn't seem appropriate for S/MIME either, but I don't see any alternative documented. Does anyone on the COSE mailing list have any thoughts or references to help me out? Or maybe this is a better question for LAMPS WG directly? Since COSE is intended for the store-and-forward use case, it might be a good errata to include a statement in the security considerations section..? Thanks, Brian S. [1] https://www.ietf.org/archive/id/draft-ietf-dtn-bpsec-cose-03.html [2] https://www.rfc-editor.org/rfc/rfc9360.html [3] https://datatracker.ietf.org/doc/html/rfc8551#section-2.5.1 [4] https://www.rfc-editor.org/rfc/rfc5280#section-6.1.3
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
