[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Timestamping
All, I agree with Nick: If we decide to support only time stamp tokens that can be represented by a signature comprising * the hash presented the requester together with * a couple of signed/unsigned attributes we should conceive a time stamp token as a kind of signature, similar to other use cases we have identified. We should * define a syntax for the signature * define a couple of widely usable attributes * define a protocol by which the requester can tell the signature service how to combine signature and attributes in order to create a particular kind of signature (in the creation use case), or which combination of signature and attributes is expected by the requester (in the verification use case). Regards, Gregor Karlinger > -----Original Message----- > From: Nick Pope [mailto:pope@secstan.com] > Sent: Monday, March 24, 2003 5:41 PM > To: Robert Zuccherato; dss@lists.oasis-open.org > Subject: RE: [dss] Timestamping > > > Robert, > > I see we have language problem. I see the syntax just a > component of the > protocol. > > I Re-run my argument with syntax instead of protocol. > > If we have to define a different syntax for all the > different potential semantics of a DSS service then we are > going have to > define a > multitude of syntaxes. Depending on the different inputs and > output options > being > considered the DSS will have different semantics. We have > already defined > in the use cases which have different semantics: e.g. for individal > signatures, corporate seals, delegated signatures, protecting SOAP > exchanges, notarisation ..... If we define a separate > syntax for each then > we will never finish our job. Also, if we do have a separate > syntax for > time-stamping I am concerned also about the need for a > separate syntax for verification of time-stamps. > > Nick > > > -----Original Message----- > > From: Robert Zuccherato [mailto:robert.zuccherato@entrust.com] > > Sent: 24 March 2003 15:53 > > To: 'Nick Pope'; dss@lists.oasis-open.org > > Subject: RE: [dss] Timestamping > > > > > > Nick; > > > > I also don't want to see a proliferation of protocols in > this TC. I think > > it is entirely reasonable though to have one protocol that > > returns either a > > (conventional) signature or a signed time stamp info object, > > depending upon > > which is being requested. > > > > Robert. > > > > > -----Original Message----- > > > From: Nick Pope [mailto:pope@secstan.com] > > > Sent: Saturday, March 22, 2003 10:11 AM > > > To: dss@lists.oasis-open.org > > > Cc: Robert Zuccherato > > > Subject: RE: [dss] Timestamping > > > > > > > > > Trevor, Robert, > > > > > > I agree with what Trevor has stated in his earlier messages. > > > > > > If we have to define a different protocol for all the > > > different potential > > > semantics of a DSS service then we are going have to define a > > > multitude of > > > protocols. Depending on the different inputs and output > options being > > > considered the DSS will have different semantics. We have > > > already defined > > > in the use cases which have different semantics: e.g. for > individal > > > signatures, corporate seals, delegated signatures, protecting SOAP > > > exchanges, notarisation ..... If we define a separate > > > protocol for each > > > then we will never finish our job. Also, if we do have a > > > separate protocol > > > for time-stamping I am concerned also about the need for a > > > separate protocol > > > for verification of time-stamps. > > > > > > In addition, having taken part in & watched years of > discussion on the > > > "non-repudiation bit", the exact semantics, and by > implication legal > > > liabilities, associated with signed data is much more > than a technical > > > question. > > > > > > I suggest that a more efficient approach would be as > > > mentioned at the last > > > DSS meeting: that is to define a generic protocol with > profiles for > > > specific uses. One of these profiles can be for time-stamping. > > > > > > Nick > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: Robert Zuccherato [mailto:robert.zuccherato@entrust.com] > > > > Sent: 21 March 2003 15:17 > > > > To: dss@lists.oasis-open.org > > > > Subject: RE: [dss] Timestamping > > > > > > > > > > > > Trevor; > > > > > > > > My feeling is that the semantics of a TSA's signature is > > > substantially > > > > different enough from the semantics of other signatures > > > that it warrants a > > > > separate syntax, or <TSTInfo>, for the signed data. Thus, I > > > > support option > > > > B below. > > > > > > > > Let's compare the timestamping scenario with the Corporate > > > Seal use case > > > > where only the hash of the data is sent to the server > and the server > > > > includes a time-mark (as some sort of authenticated > > > attribute). This use > > > > case is probably the closest in practice to the > > > timestamping scenario. In > > > > both situations the server sees only the hash of the data > > > and in both > > > > situations the server is appending the current time in some > > > fashion. The > > > > semantics of the two situations are very different though. > > > The TSA is not > > > > purporting to have originated the data and is not agreeing > > > to the data in > > > > any way. It is simply purporting to have seen the hash at > > > that time. > > > > However, in the Corporate Seal use case I argue that even though > > > > the server > > > > itself has not seen the actual data, the entity that has > > > > submitted the data > > > > to the server has and thus the server can claim to have > > > > originated the data > > > > or can agree to the data on behalf of that submitter. > This is why > > > > authentication to the server in this use case is so > > > important. The server > > > > is actually delegating some of it's responsibilities as a > > > signer to the > > > > submitter and must authenticate that the submission is from > > > a trusted > > > > entity. Thus, the corporate seal provides origin > > > authentication or agrees > > > > to the data on an organizational level. > > > > > > > > Now, we could still load all of these semantics into some > > > sort of signed > > > > attribute and if we could be sure that the attribute > would always be > > > > honoured, this would likely be fine. However, we don't have any > > > > criticality > > > > defined for authenticated attributes in most of the signature > > > > formats that I > > > > can think of. Thus, I believe that it is likely that these > > > TSA signatures > > > > will be mis-interpreted. The safe way of doing things, I > > > believe, is to > > > > have a separate syntax for timestamped data. > > > > > > > > Robert. > > > > > > > > > -----Original Message----- > > > > > From: Trevor Perrin [mailto:trevp@trevp.net] > > > > > Sent: Tuesday, March 18, 2003 4:38 PM > > > > > To: dss@lists.oasis-open.org > > > > > Subject: [dss] Timestamping > > > > > > > > > > > > > > > > > > > > The requirements subcommittee is considering what the > > > > > requirements should > > > > > be for a timestamp format and protocol. We'd like some input > > > > > from the > > > > > group, since this hasn't had much discussion yet. > > > > > > > > > > Currently, the notions of time-marked signatures and > time-stamped > > > > > signatures have been defined: > > > > > > > > > > A time-marked signature is just a signature on some content > > > > > with a signed > > > > > attribute (created by the signer) containing the signing time. > > > > > > > > > > A time-stamped signature contains, as an unsigned attribute, > > > > > a timestamp > > > > > "token", which somehow binds the time and a hash of the > > > time-stamped > > > > > signature's signatureValue, and is created and signed by a > > > > > 3rd party TSA > > > > > (Time Stamp Authority). > > > > > > > > > > More generally, a timestamp token may be used to timestamp > > > > > other things > > > > > than a signatureValue. > > > > > > > > > > Now, whatever format the timestamp token takes, a timestamp > > > > > protocol just > > > > > requires the client send a hash and receive back a token. > > > > > This shouldn't > > > > > be any different from the DSS protocol used in the > > > > > "client-side hashing" > > > > > and "receiving a detached signature" case. Thus, > > > > > time-stamping should just > > > > > be a use-case of the DSS protocol, not a separate protocol. > > > > > > > > > > As for an XML timestamp token format, there's two approaches: > > > > > A) Define a time-stamp token as just a time-marked signature > > > > > produced by a > > > > > 3rd-party that's trusted as a TSA. > > > > > B) Define a time-stamp token as a signature on some new > > > > > <TSTInfo> structure > > > > > containing a hash of the to-be-timestamped data and the time. > > > > > > > > > > In (A), the TSA produces a normal signature using the > hash of the > > > > > to-be-timestamped data, with time as a signed attribute. In > > > > > (B), the TSA > > > > > combines the hash of the to-be-timestamped data with the time > > > > > into a new > > > > > structure, and produces a normal signature on that. (B) is > > > > > the approach > > > > > used in RFC 3161, which is PKIX's timestamping protocol, and > > > > > is used to > > > > > timestamp CMS signatures. > > > > > > > > > > The benefit of (A) is that timestamps aren't handled > > > > > differently from any > > > > > other signature type, they're just a particular "semantics" > > > > > instead of > > > > > "syntax". The argument against this, is that timestamps > > > > > *are* different > > > > > from other signatures: Normally signatures testify that the > > > > > contents are > > > > > associated with the signer as an originating entity, not that > > > > > the contents > > > > > are associated with a time. So timestamps should have a > > > > > different syntax > > > > > to ensure that they're processed correctly, and that a > > > Relying Party > > > > > understands that the time is the important thing, and doesn't > > > > > mistakenly > > > > > ignore a signing-time signed attribute and think the TSA > > > > > originated the > > > > > to-be-signed data. > > > > > > > > > > One way of framing the question: what are the semantics of a > > > > > raw, DSIG > > > > > signature? If a DSIG signature is just a statement of the > > > > > form "someone > > > > > says something about some data", where > > > > > - the speaker ("someone") is identified with a <KeyInfo> > > > > > - the object ("some data") is identified with a <SignedInfo> > > > > > - the predicate (what is being said about the object) is > > > > > identified by > > > > > the <KeyInfo>'s properties/policy identifiers and signed > > > attributes > > > > > > > > > > Then asserting that the data existed at a certain time is > > > > > just another > > > > > predicate that can be asserted about <SignedInfo>, along with > > > > > asserting > > > > > that you originated it, or asserting that you agree to its > > > > > contents, or > > > > > asserting that it really came from some Identified Requestor. > > > > > > > > > > But if a DSIG signature also carries the semantics > that the signer > > > > > originated the data, then it would be misleading for a TSA to > > > > > produce a > > > > > signature on the to-be-timestamped hash while relegating the > > > > > signing time > > > > > to a signed attribute (but then wouldn't any use case where > > > > > the server > > > > > didn't originate the data, but just signed a hash, be > > > misleading?). > > > > > > > > > > But that may be unfair (I'm biased towards A). What do other > > > > > people prefer? > > > > > > > > > > Trevor > > > > > > > > > > > > > > > > > > > > > > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]