[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [ebxml-cppa] Re: CPA Expiration
Some thoughts on this. First, as to embedded Certificates in the CPP/A, this practice, while valid, might not be what one might term "best practice" because it tightly binds the agreement with one or more certificates which in and of themselves may be: a) revoked (as in the case of a compromised cert) or b) expired before the agreement. A better practice (IMO) would be to leverage the KeyInfo/RetrievalMethod aspect of KeyInfo so as to identify a certificate in a manner that is not tightly bound to the agreement, while at the same time providing the effective PKI required to enable the parties to exchange their respective certificates. For the certificate(s) that actually *signs* the CPP/A document itself, the embedding of the full certificate might be appropriate (and may in fact be necessary), and the expiration of the certificate would necessarily need to be a date/time that is greater than the expiration of the agreement itself (a legal opinion on this would be useful). My $0.02, Chris Martin W Sachs wrote: > The CPA start and elements are not satisfactory with regard to certificate > expiration because using them would require manually setting the end date > to match the certificate expiration date. A better idea would be to add an > element or attribute that specifies that the first certificate to expire > also expires the CPA. Values could be yes and no. This proposal might be > a bit extreme since there are multiple certificates for different purposes. > However I doubt that we want to get into expiring the CPA piecemeal even if > we could figure out how to specify that. > > Regards, > Marty > > ************************************************************************************* > > Martin W. Sachs > IBM T. J. Watson Research Center > P. O. B. 704 > Yorktown Hts, NY 10598 > 914-784-7287; IBM tie line 863-7287 > Notes address: Martin W Sachs/Watson/IBM > Internet address: mwsachs @ us.ibm.com > ************************************************************************************* > > > > Arvola Chan <arvola@tibco.com> on 01/27/2002 12:35:33 PM > > To: Dale Moberg <dmoberg@cyclonecommerce.com>, > ebxml-cppa@lists.oasis-open.org > cc: > Subject: [ebxml-cppa] Re: CPA Expiration > > > > Dale: > > >>We _might_ point out that it is >>advisable to expire the CPA (do we expire CPPs? CPA templates? >>I don't think we do yet. A CPA template might include a validity period, >>but does it mean the propsed CPA validity or the CPA template validity?) >>when the essential certificates expire ( or at >>the earliest expiration date of the referenced or included >>essential certificates). >> > > There are already Start and End sub-elements under the > CollaborationProtocolAgreement element to indicate the CPA's validity > period. > > I agree with you that issue 9 can be closed and that we should > > >>replace it by a new issue devoted to reaching consensus >>on what needs to be said about CPA expiration and certificate >>expiration when certificates are included. >> > > -Arvola > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC