What is the use case here? I really hate to bring in time requirements. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jim Schaad Sent: Tuesday, October 9, 2012 11:34 AM To: [email protected] Subject: [jose] Proposal - Create a SignTime Header
I propose that we create a header entry that is optional and contains a time that the signer claims that they signed at. There are two different types of times that can found in signed statements. The first is going to be a time field associated with the data. This is the current approach that is used for the JWT in that part of the claims about the token itself is the time that the claims in the token are created. The second time field is associated with the signing operation and is a claim not about the content but about the signature. This is a signing time. The claims may be attested to at a different time that the signature was created. Having a signing time is not an important issue for the JWT specification; however I believe that it will become an issue for cases where multiple people will be signing a single document. These signatures may be either made in parallel or serialized but as they occur at different times knowing a claimed signing time may be of interest. Side note - I believe that the nonce question should be dropped until somebody makes a case for it that is related to signatures and not to protocols which is where I generally see nonces being used. (That is for freshness checking or associating multiple documents in a single dialog.) Jim _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
