On Tue, Jun 20, 2000 at 07:34:53AM +0200, Richard Levitte - VMS Whacker wrote:
>
> Funny you should mentino this. It was taken up on the ietf-pkix list
> just a few days ago, and I think someone concluded that a signature
> would always be valid if corresponding to a cert that has once been
> valid.
Does that make sense? If I were to compromise a cert at some point in time,
there would be nothing (except timestamping) that would keep me from
signing something as if it had been signed in the past.
>
> Really, what one would need is to have a timestamp associated with the
> signature and the possibility to check the validity of the associated
> cert at that time. That would require that everyone keeps a history
> of the certs they have to handle rather than just the current state...
>
And the shortcut here would be timestamping - handled by someone else
that stores the original signature along with the timestamp. It would
probably make sense for the time stamping authority to check the validity
of the signers cert via OCSP or something similar.
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
