Brian: S/MIME does not use the signing time attribute as an input to certificate path validation. It is not expected to come from a trusted time source.
Russ > On Mar 27, 2024, at 5:16 PM, Sipos, Brian J. <[email protected]> wrote: > > All, > I’m working an application of COSE [1] with the expectation of using X509 > certificates for data signing, so using the “x5…” header parameters [2] for > cert identification. This application is for store-and-forward data that may > have a lifetime of days, weeks, or longer so similar to S/MIME in some > aspects. > > The issue I’m running into is how to handle the validity time period of a > certificate chain. Although S/MIME includes a “signing time” attribute [3] > there is no guidance in that spec about if, or how, it would be used as part > of PKIX validation or how to interpret or process certificate validity time > intervals differently than in RFC 5280 [4], which mandates validation based > on the current time. Using the current time doesn’t seem appropriate for > S/MIME either, but I don’t see any alternative documented. > > Does anyone on the COSE mailing list have any thoughts or references to help > me out? > Or maybe this is a better question for LAMPS WG directly? > Since COSE is intended for the store-and-forward use case, it might be a good > errata to include a statement in the security considerations section..? > > Thanks, > Brian S. > > [1] https://www.ietf.org/archive/id/draft-ietf-dtn-bpsec-cose-03.html > [2] https://www.rfc-editor.org/rfc/rfc9360.html > [3] https://datatracker.ietf.org/doc/html/rfc8551#section-2.5.1 > [4] https://www.rfc-editor.org/rfc/rfc5280#section-6.1.3 > > _______________________________________________ > COSE mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/cose
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
