From: Yuji Shinozaki <[EMAIL PROTECTED]>
ys2n> Hmmm. Doesn't this get really complicated? As in suppose you have a
ys2n> document that is signed by a cert that has been suspended and then has
ys2n> been reinstated. In order to verify that the document was signed by the
ys2n> cert "when it was good", you would need to know:
ys2n>
ys2n> 1. when the cert was signed (and this must be a "signed
ys2n> datestamp" (signed by a trusted third-party) because
ys2n> someone could forge the date.
ys2n> 2. every period when the cert was suspended
ys2n> 3. every period when the cert was valid
ys2n>
ys2n> I suppose someone is thinking about how to do all this...
Funny you should mentino this. It was taken up on the ietf-pkix list
just a few days ago, and I think someone concluded that a signature
would always be valid if corresponding to a cert that has once been
valid.
Really, what one would need is to have a timestamp associated with the
signature and the possibility to check the validity of the associated
cert at that time. That would require that everyone keeps a history
of the certs they have to handle rather than just the current state...
--
Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
