Re: [ebxml-cppa] Re: CPA Expiration

[Tony Weida <rweida@hotmail.com>]

I'll ensure that this gets added to the database.  To avoid version control
issues, however, I hereby give Dale a "write lock" for the duration of the
F2F.

Tony

----- Original Message -----
From: "Martin W Sachs" <mwsachs@us.ibm.com>
To: "Christopher Ferris" <chris.ferris@sun.com>
Cc: "Arvola Chan" <arvola@tibco.com>; "Dale Moberg"
<dmoberg@cyclonecommerce.com>; <ebxml-cppa@lists.oasis-open.org>
Sent: Tuesday, January 29, 2002 10:31 AM
Subject: Re: [ebxml-cppa] Re: CPA Expiration


>
> Chris,
>
> We discussed this stuff yesterday at the F2F.  Unfortunately, the lawyer
> (Jamie) was unable to join us.
>
> Dale's concern was that the state of the art of PKI doesn't seem to be up
> to using RetrievalMethod yet. As of the close of the session yesterday, we
> had decided to limit ourselves to a non-normative statement that software
> MAY detect the use of an expired certificate and signal a warning.
>
> I had overlooked the point about the certificates used to sign the CPA.
We
> should include a statement with the signature discussion pointing out that
> when the CPA is to be signed, the value of the End element should (SHALL?)
> not exceed the expiration date and time of the certificate  used for
> signing.  (This does not apply to siging the CPP since the CPP has no
> stated expiration time.)
>
> Tony, please add this point to the issues list.
>
> Regards,
> Marty
>
>
****************************************************************************
*********
>
> Martin W. Sachs
> IBM T. J. Watson Research Center
> P. O. B. 704
> Yorktown Hts, NY 10598
> 914-784-7287;  IBM tie line 863-7287
> Notes address:  Martin W Sachs/Watson/IBM
> Internet address:  mwsachs @ us.ibm.com
>
****************************************************************************
*********
>
>
>
> Christopher Ferris <chris.ferris@sun.com> on 01/29/2002 09:31:00 AM
>
> To:    Martin W Sachs/Watson/IBM@IBMUS
> cc:    Arvola Chan <arvola@tibco.com>, Dale Moberg
>        <dmoberg@cyclonecommerce.com>, ebxml-cppa@lists.oasis-open.org
> Subject:    Re: [ebxml-cppa] Re: CPA Expiration
>
>
>
> Some thoughts on this.
>
> First, as to embedded Certificates in the CPP/A, this
> practice, while valid, might not be what one might term
> "best practice" because it tightly binds the agreement
> with one or more certificates which in and of themselves
> may be: a) revoked (as in the case of a compromised cert)
> or b) expired before the agreement.
>
> A better practice (IMO) would be to leverage the
> KeyInfo/RetrievalMethod aspect of KeyInfo so as to identify
> a certificate in a manner that is not tightly bound
> to the agreement, while at the same time providing the
> effective PKI required to enable the parties to exchange
> their respective certificates.
>
> For the certificate(s) that actually *signs* the CPP/A document
> itself, the embedding of the full certificate might be
> appropriate (and may in fact be necessary), and the expiration
> of the certificate would necessarily need to be a date/time
> that is greater than the expiration of the agreement
> itself (a legal opinion on this would be useful).
>
> My $0.02,
>
> Chris
> Martin W Sachs wrote:
>
> > The CPA start and elements are not satisfactory with regard to
> certificate
> > expiration because using them would require manually setting the end
date
> > to match the certificate expiration date. A better idea would be to add
> an
> > element or attribute that specifies that the first certificate to expire
> > also expires the CPA.  Values could be yes and no.  This proposal might
> be
> > a bit extreme since there are multiple certificates for different
> purposes.
> > However I doubt that we want to get into expiring the CPA piecemeal even
> if
> > we could figure out how to specify that.
> >
> > Regards,
> > Marty
> >
> >
>
****************************************************************************
*********
>
> >
> > Martin W. Sachs
> > IBM T. J. Watson Research Center
> > P. O. B. 704
> > Yorktown Hts, NY 10598
> > 914-784-7287;  IBM tie line 863-7287
> > Notes address:  Martin W Sachs/Watson/IBM
> > Internet address:  mwsachs @ us.ibm.com
> >
>
****************************************************************************
*********
>
> >
> >
> >
> > Arvola Chan <arvola@tibco.com> on 01/27/2002 12:35:33 PM
> >
> > To:    Dale Moberg <dmoberg@cyclonecommerce.com>,
> >        ebxml-cppa@lists.oasis-open.org
> > cc:
> > Subject:    [ebxml-cppa] Re: CPA Expiration
> >
> >
> >
> > Dale:
> >
> >
> >>We _might_ point out that it is
> >>advisable to expire the CPA (do we expire CPPs? CPA templates?
> >>I don't think we do yet. A CPA template might include a validity period,
> >>but does it mean the propsed CPA validity or the CPA template validity?)
> >>when the essential certificates expire ( or at
> >>the earliest expiration date of the referenced or included
> >>essential certificates).
> >>
> >
> > There are already Start and End sub-elements under the
> > CollaborationProtocolAgreement element to indicate the CPA's validity
> > period.
> >
> > I agree with you that issue 9 can be closed and that we should
> >
> >
> >>replace it by a new issue devoted to reaching consensus
> >>on what needs to be said about CPA expiration and certificate
> >>expiration when certificates are included.
> >>
> >
> > -Arvola
> >
> >
> >
> > ----------------------------------------------------------------
> > To subscribe or unsubscribe from this elist use the subscription
> > manager: <http://lists.oasis-open.org/ob/adm.pl>
> >
> >
> >
> >
> > ----------------------------------------------------------------
> > To subscribe or unsubscribe from this elist use the subscription
> > manager: <http://lists.oasis-open.org/ob/adm.pl>
> >
>
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
>
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>