OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pki-tc] OCSP question

Sharon Boeyen, who is an observer on the PKI TC list,
asked me to send the following response. She can't
send it because she's an observer.




From: Sharon Boeyen <sharon.boeyen@entrust.com>
Sent: Monday, November 21, 2005 8:22 AM
To: 'Stephen Wilson'; pki-tc@lists.oasis-open.org
Subject: RE: [pki-tc] OCSP question

Hello Stephen,

There is nothing in an OCSP request to indicate the time of interest.
However, OCSP responses have an optional element "archive cutoff" that
can be used to indicate that the server covers expired certificates as
well as current ones. The archive cutoff time indicates how old the
server retains information and the client can compare that info to their
date of interest. However, even though the element is in the protocol
spec I suspect this is a feature that is not widely implemented, if at all.

The parameter I'm talking about is described in section 4.4.4 of RFC
2560 http://www.ietf.org/rfc/rfc2560.txt



Stephen Wilson wrote:
> I have a question specifically about how to check the validity of an old
> certificate at the time a given digital signature was created. 
> My understanding of OCSP is that it returns the validity of a given
> certificate at the time of the request (i.e. "now").  But what if I have a
> old digitally signed transaction which I am trying to validate?  It could
> have been signed years ago, or just days ago, the problem is the same.  The
> "Relying Party" wants to know if the signer's certificate was valid at the
> time of the signature (regardless of whether the certificate happens to
> have subsequently expired or even revoked).  
> Is the only way to validate old certificates to obtain the CRLs and delta
> CRLs leading up to the time of the signature and reconstruct the
> certificate validity? 
> Or is there an OCSP variant that helps?  One that has the time-and-date of
> interest as a parameter in the status check request?  
> Or finally ... apart from the ill-fated VA model, are there any services on
> the market today which provide this information easily?  
> Cheers, 
> Stephen Wilson
> Lockstep Consulting Pty Ltd
> www.lockstep.com.au
> ABN 59 593 754 482
> 11 Minnesota Ave
> Five Dock NSW 2046
> Australia
> P +61 (0)414 488 851
> --------------------
> About Lockstep 
> Lockstep was established in early 2004 by noted authentication expert
> Stephen Wilson, to provide independent advice and analysis on cyber
> security policy, strategy, risk management, and identity management. 
> Lockstep is also developing unique new smartcard solutions to address
> privacy and identity theft. 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]