OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xri] Datetime for ds:Signature

I meant the extra properties for the XML signature.

However, if we are not going to use this spec, we can have it in the
XRD document as long as it is signed.

It is a good security principle in general to add a creation date in
items used for authentication. However, an attacker can post-date a
document if it manages to find a signing oracle or if it steals the
signing key, so in this example there is little to be gained. The only
sensible mechanism to revoke signed certificates is to revoke the key
used to sign any spurious items.

On Tue, Aug 11, 2009 at 12:21 AM, RL 'Bob'
Morgan<rlmorgan@washington.edu> wrote:
> On Mon, 10 Aug 2009, John Bradley wrote:
>> XRD spec 2.2.2
>>    2.2.2. Element <Expires>
>> This xs:dateTime value indicates the time instant after which the document
>> is no longer valid and must not be used.
> This may already have been discussed, but the "must not be used" there makes
> me nervous, as there is a typical issue with this kind of thing.
> It may be taken to mean:  after this time the party relying on this document
> must assume the info in the document is no longer true and must purge any
> record of this information from local storage.  That is a tall order, and
> probably not what the signing party intends.  Usually such an element means:
>  the signer no longer guarantees the information in the signed document is
> true after this time, so the RP uses it at its own risk.
> To avoid getting into what "guarantees" means etc, it's pragmatic for a
> spec, rather than saying "must not be used", to say something like "the
> document does not validate after this time", as a processing rule.  If
> that's what we want to say I suggest just removing the "and must not be
> used" from this sentence.
>  - RL "Bob"
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]