Re: [xri] Datetime for ds:Signature

[John Bradley <jbradley@mac.com>]

If the new parts of ds:sig that Scott mentioned are backwards  
compatible, that may not be too bad.

We have an existing expires element that arguably needs a wording  
change.

We have certificate revocation for those that want x509 and other ways  
of verifying signatures for SAML meta-data etc.

Other than perhaps for generational control what is the signing date  
good for?

If it is to know what version of a XRD is the most current, that may  
be a good reason but shouldn't be part of the signature itself.

John B.
On 11-Aug-09, at 9:17 AM, Breno de Medeiros wrote:

> I meant the extra properties for the XML signature.
>
> However, if we are not going to use this spec, we can have it in the
> XRD document as long as it is signed.
>
> It is a good security principle in general to add a creation date in
> items used for authentication. However, an attacker can post-date a
> document if it manages to find a signing oracle or if it steals the
> signing key, so in this example there is little to be gained. The only
> sensible mechanism to revoke signed certificates is to revoke the key
> used to sign any spurious items.
>
> On Tue, Aug 11, 2009 at 12:21 AM, RL 'Bob'
> Morgan<rlmorgan@washington.edu> wrote:
>>
>> On Mon, 10 Aug 2009, John Bradley wrote:
>>
>>> XRD spec 2.2.2
>>>
>>>    2.2.2. Element <Expires>
>>>
>>> This xs:dateTime value indicates the time instant after which the  
>>> document
>>> is no longer valid and must not be used.
>>
>> This may already have been discussed, but the "must not be used"  
>> there makes
>> me nervous, as there is a typical issue with this kind of thing.
>>
>> It may be taken to mean:  after this time the party relying on this  
>> document
>> must assume the info in the document is no longer true and must  
>> purge any
>> record of this information from local storage.  That is a tall  
>> order, and
>> probably not what the signing party intends.  Usually such an  
>> element means:
>>  the signer no longer guarantees the information in the signed  
>> document is
>> true after this time, so the RP uses it at its own risk.
>>
>> To avoid getting into what "guarantees" means etc, it's pragmatic  
>> for a
>> spec, rather than saying "must not be used", to say something like  
>> "the
>> document does not validate after this time", as a processing rule.   
>> If
>> that's what we want to say I suggest just removing the "and must  
>> not be
>> used" from this sentence.
>>
>>  - RL "Bob"
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/ 
>> my_workgroups.php
>>
>
>
>
> -- 
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>