Hi Steve, Thanks for the post, and it addresses one of the fears I have as well; a certificate validity date is basically there to avoid the length of time a compromised keypair can be used for, and if someone got hold of an 'expired' keypair it would be very simple for them to simply turn their dates back and sign till kingdom come, and to me that's a bit disturbing. Granted, the chances of compromise may be small, and the onus is on the user to ensure that everything is locked down, but these things do happen...
Thanks for your time... : ) Dr S N Henson wrote: > Robert Relyea wrote: > > > > > > There has been lots of debates about this with-in Netscape because the > > timestamp is not authenticated. Once you have a certificate, it's > > possible to continue to create valid signed objects by back dating. > > And rather thorny problems would also arise if a certificate has been > revoked. > > > > > The debate on this semantic will probably continue until we have a cheap > > reliable authority to verify timestamps. > > > > Is there some reason why the Verisign timestamper can't be used? It was > intended for Authenticode but the request format is simple enough and > the output can be used in a PKCS#7 countersignature. > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: [EMAIL PROTECTED] > Senior crypto engineer, Gemplus: http://www.gemplus.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: [EMAIL PROTECTED] PGP key: via homepage. -- Jason Barr Vendor Manager Thawte Tech Support www.thawte.com/cgi/support/contents.exe
