OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pki-tc] OCSP question

In case you really need to go back in time in the way you describe, a solution
would be to store the signed OCSP response together with the signature
and the associated data.  This will work also in the not so unlikely case that
the CA is gone in 10 years or so.  Many people also think that you should
sign the whole package with a time-stamp using a long key as well.

In most systems it should be enough to verify the signature during receival
and only accept valid signatures.  If you can rely on the storage and integrity
of the rest of the system the proof is then implicit.  I'm personally in favor
of such solutions as key expiration is a problem not only for end-user certs,
but for CA certificates as well.

In WASP (the web-signature stuff), signature validation by end-users has
been removed completely as it is much better handled by the information
system layer.  Even an OSCP responder may have its own root making
trust establishment a real PITA if pushed on end-users.

Anders Rundgren

----- Original Message ----- 
From: "Stephen Wilson" <swilson@lockstep.com.au>
To: <pki-tc@lists.oasis-open.org>
Sent: Monday, November 21, 2005 01:00
Subject: [pki-tc] OCSP question

I have a question specifically about how to check the validity of an old
certificate at the time a given digital signature was created. 

My understanding of OCSP is that it returns the validity of a given
certificate at the time of the request (i.e. "now").  But what if I have a
old digitally signed transaction which I am trying to validate?  It could
have been signed years ago, or just days ago, the problem is the same.  The
"Relying Party" wants to know if the signer's certificate was valid at the
time of the signature (regardless of whether the certificate happens to
have subsequently expired or even revoked).  

Is the only way to validate old certificates to obtain the CRLs and delta
CRLs leading up to the time of the signature and reconstruct the
certificate validity? 

Or is there an OCSP variant that helps?  One that has the time-and-date of
interest as a parameter in the status check request?  

Or finally ... apart from the ill-fated VA model, are there any services on
the market today which provide this information easily?  


Stephen Wilson
Lockstep Consulting Pty Ltd
ABN 59 593 754 482

11 Minnesota Ave
Five Dock NSW 2046

P +61 (0)414 488 851


About Lockstep 
Lockstep was established in early 2004 by noted authentication expert
Stephen Wilson, to provide independent advice and analysis on cyber
security policy, strategy, risk management, and identity management. 
Lockstep is also developing unique new smartcard solutions to address
privacy and identity theft. 

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]