[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [ebxml-cppa] Re: CPA Expiration
I'll ensure that this gets added to the database. To avoid version control issues, however, I hereby give Dale a "write lock" for the duration of the F2F. Tony ----- Original Message ----- From: "Martin W Sachs" <mwsachs@us.ibm.com> To: "Christopher Ferris" <chris.ferris@sun.com> Cc: "Arvola Chan" <arvola@tibco.com>; "Dale Moberg" <dmoberg@cyclonecommerce.com>; <ebxml-cppa@lists.oasis-open.org> Sent: Tuesday, January 29, 2002 10:31 AM Subject: Re: [ebxml-cppa] Re: CPA Expiration > > Chris, > > We discussed this stuff yesterday at the F2F. Unfortunately, the lawyer > (Jamie) was unable to join us. > > Dale's concern was that the state of the art of PKI doesn't seem to be up > to using RetrievalMethod yet. As of the close of the session yesterday, we > had decided to limit ourselves to a non-normative statement that software > MAY detect the use of an expired certificate and signal a warning. > > I had overlooked the point about the certificates used to sign the CPA. We > should include a statement with the signature discussion pointing out that > when the CPA is to be signed, the value of the End element should (SHALL?) > not exceed the expiration date and time of the certificate used for > signing. (This does not apply to siging the CPP since the CPP has no > stated expiration time.) > > Tony, please add this point to the issues list. > > Regards, > Marty > > **************************************************************************** ********* > > Martin W. Sachs > IBM T. J. Watson Research Center > P. O. B. 704 > Yorktown Hts, NY 10598 > 914-784-7287; IBM tie line 863-7287 > Notes address: Martin W Sachs/Watson/IBM > Internet address: mwsachs @ us.ibm.com > **************************************************************************** ********* > > > > Christopher Ferris <chris.ferris@sun.com> on 01/29/2002 09:31:00 AM > > To: Martin W Sachs/Watson/IBM@IBMUS > cc: Arvola Chan <arvola@tibco.com>, Dale Moberg > <dmoberg@cyclonecommerce.com>, ebxml-cppa@lists.oasis-open.org > Subject: Re: [ebxml-cppa] Re: CPA Expiration > > > > Some thoughts on this. > > First, as to embedded Certificates in the CPP/A, this > practice, while valid, might not be what one might term > "best practice" because it tightly binds the agreement > with one or more certificates which in and of themselves > may be: a) revoked (as in the case of a compromised cert) > or b) expired before the agreement. > > A better practice (IMO) would be to leverage the > KeyInfo/RetrievalMethod aspect of KeyInfo so as to identify > a certificate in a manner that is not tightly bound > to the agreement, while at the same time providing the > effective PKI required to enable the parties to exchange > their respective certificates. > > For the certificate(s) that actually *signs* the CPP/A document > itself, the embedding of the full certificate might be > appropriate (and may in fact be necessary), and the expiration > of the certificate would necessarily need to be a date/time > that is greater than the expiration of the agreement > itself (a legal opinion on this would be useful). > > My $0.02, > > Chris > Martin W Sachs wrote: > > > The CPA start and elements are not satisfactory with regard to > certificate > > expiration because using them would require manually setting the end date > > to match the certificate expiration date. A better idea would be to add > an > > element or attribute that specifies that the first certificate to expire > > also expires the CPA. Values could be yes and no. This proposal might > be > > a bit extreme since there are multiple certificates for different > purposes. > > However I doubt that we want to get into expiring the CPA piecemeal even > if > > we could figure out how to specify that. > > > > Regards, > > Marty > > > > > **************************************************************************** ********* > > > > > Martin W. Sachs > > IBM T. J. Watson Research Center > > P. O. B. 704 > > Yorktown Hts, NY 10598 > > 914-784-7287; IBM tie line 863-7287 > > Notes address: Martin W Sachs/Watson/IBM > > Internet address: mwsachs @ us.ibm.com > > > **************************************************************************** ********* > > > > > > > > > Arvola Chan <arvola@tibco.com> on 01/27/2002 12:35:33 PM > > > > To: Dale Moberg <dmoberg@cyclonecommerce.com>, > > ebxml-cppa@lists.oasis-open.org > > cc: > > Subject: [ebxml-cppa] Re: CPA Expiration > > > > > > > > Dale: > > > > > >>We _might_ point out that it is > >>advisable to expire the CPA (do we expire CPPs? CPA templates? > >>I don't think we do yet. A CPA template might include a validity period, > >>but does it mean the propsed CPA validity or the CPA template validity?) > >>when the essential certificates expire ( or at > >>the earliest expiration date of the referenced or included > >>essential certificates). > >> > > > > There are already Start and End sub-elements under the > > CollaborationProtocolAgreement element to indicate the CPA's validity > > period. > > > > I agree with you that issue 9 can be closed and that we should > > > > > >>replace it by a new issue devoted to reaching consensus > >>on what needs to be said about CPA expiration and certificate > >>expiration when certificates are included. > >> > > > > -Arvola > > > > > > > > ---------------------------------------------------------------- > > To subscribe or unsubscribe from this elist use the subscription > > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > > > > > > > > ---------------------------------------------------------------- > > To subscribe or unsubscribe from this elist use the subscription > > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC