OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [dss] Gregor's comments on req draft 02 (WAS: RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded)

Trevor,

> -----Original Message-----
> From: Trevor Perrin [mailto:trevp@trevp.net] 
> Sent: Monday, March 31, 2003 6:46 PM
> To: Gregor Karlinger
> Cc: dss@lists.oasis-open.org
> Subject: Re: [dss] Gregor's comments on req draft 02 (WAS: 
> RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded)
> 
> 
> At 11:58 AM 3/31/2003 +0200, Gregor Karlinger wrote:
> 
> > > Trevor wrote:
> > > Right, but when the client wants to determine 
> verification status at 
> > > some time in the past, does he want to know what the server 
> > > *thought* the verification status was then, or what the server 
> > > *currently
> > > thinks* the
> > > verification status was then.  I'm pretty sure it's the 
> latter, just 
> > > wanted to check.
> >
> >No. The service should verify the signature based on revocation info 
> >for the date requested by the client. What would be the 
> sense of pro- 
> >viding a date in the past, if the service verified based on current 
> >revocation info?
> 
> Should the service verify based on the information it 
> currently has about 
> that date in the past, or should it verify based on the data 
> it had then?
> 
> That is, is the service trying to give it's best answer about 
> whether the 
> signature was valid on that date, or is it trying to simulate 
> how it would 
> have responded on that date?

Now I think I've got it. Of course, the service should use the 
information at the time of the request. Examples where the know-
ledge of the service could have changed:

* A certificate was "on hold" at the validation date, but has been
  set to status "valid" again later. In this case the service should
  report the cert as valid.

* The latest CRL has not been available at the validation time. The
  next available CRL after the validation time contains the signer
  certificate as "revoked". In this case the service should report
  the cert as "revoked".

/Gregor

smime.p7s

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]