OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-cppa message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [ebxml-cppa] Re: CPA Expiration



Chris,

We discussed this stuff yesterday at the F2F.  Unfortunately, the lawyer
(Jamie) was unable to join us.

Dale's concern was that the state of the art of PKI doesn't seem to be up
to using RetrievalMethod yet. As of the close of the session yesterday, we
had decided to limit ourselves to a non-normative statement that software
MAY detect the use of an expired certificate and signal a warning.

I had overlooked the point about the certificates used to sign the CPA.  We
should include a statement with the signature discussion pointing out that
when the CPA is to be signed, the value of the End element should (SHALL?)
not exceed the expiration date and time of the certificate  used for
signing.  (This does not apply to siging the CPP since the CPP has no
stated expiration time.)

Tony, please add this point to the issues list.

Regards,
Marty

*************************************************************************************

Martin W. Sachs
IBM T. J. Watson Research Center
P. O. B. 704
Yorktown Hts, NY 10598
914-784-7287;  IBM tie line 863-7287
Notes address:  Martin W Sachs/Watson/IBM
Internet address:  mwsachs @ us.ibm.com
*************************************************************************************



Christopher Ferris <chris.ferris@sun.com> on 01/29/2002 09:31:00 AM

To:    Martin W Sachs/Watson/IBM@IBMUS
cc:    Arvola Chan <arvola@tibco.com>, Dale Moberg
       <dmoberg@cyclonecommerce.com>, ebxml-cppa@lists.oasis-open.org
Subject:    Re: [ebxml-cppa] Re: CPA Expiration



Some thoughts on this.

First, as to embedded Certificates in the CPP/A, this
practice, while valid, might not be what one might term
"best practice" because it tightly binds the agreement
with one or more certificates which in and of themselves
may be: a) revoked (as in the case of a compromised cert)
or b) expired before the agreement.

A better practice (IMO) would be to leverage the
KeyInfo/RetrievalMethod aspect of KeyInfo so as to identify
a certificate in a manner that is not tightly bound
to the agreement, while at the same time providing the
effective PKI required to enable the parties to exchange
their respective certificates.

For the certificate(s) that actually *signs* the CPP/A document
itself, the embedding of the full certificate might be
appropriate (and may in fact be necessary), and the expiration
of the certificate would necessarily need to be a date/time
that is greater than the expiration of the agreement
itself (a legal opinion on this would be useful).

My $0.02,

Chris
Martin W Sachs wrote:

> The CPA start and elements are not satisfactory with regard to
certificate
> expiration because using them would require manually setting the end date
> to match the certificate expiration date. A better idea would be to add
an
> element or attribute that specifies that the first certificate to expire
> also expires the CPA.  Values could be yes and no.  This proposal might
be
> a bit extreme since there are multiple certificates for different
purposes.
> However I doubt that we want to get into expiring the CPA piecemeal even
if
> we could figure out how to specify that.
>
> Regards,
> Marty
>
>
*************************************************************************************

>
> Martin W. Sachs
> IBM T. J. Watson Research Center
> P. O. B. 704
> Yorktown Hts, NY 10598
> 914-784-7287;  IBM tie line 863-7287
> Notes address:  Martin W Sachs/Watson/IBM
> Internet address:  mwsachs @ us.ibm.com
>
*************************************************************************************

>
>
>
> Arvola Chan <arvola@tibco.com> on 01/27/2002 12:35:33 PM
>
> To:    Dale Moberg <dmoberg@cyclonecommerce.com>,
>        ebxml-cppa@lists.oasis-open.org
> cc:
> Subject:    [ebxml-cppa] Re: CPA Expiration
>
>
>
> Dale:
>
>
>>We _might_ point out that it is
>>advisable to expire the CPA (do we expire CPPs? CPA templates?
>>I don't think we do yet. A CPA template might include a validity period,
>>but does it mean the propsed CPA validity or the CPA template validity?)
>>when the essential certificates expire ( or at
>>the earliest expiration date of the referenced or included
>>essential certificates).
>>
>
> There are already Start and End sub-elements under the
> CollaborationProtocolAgreement element to indicate the CPA's validity
> period.
>
> I agree with you that issue 9 can be closed and that we should
>
>
>>replace it by a new issue devoted to reaching consensus
>>on what needs to be said about CPA expiration and certificate
>>expiration when certificates are included.
>>
>
> -Arvola
>
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
>
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>



----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC