Re: [COSE] Certificate path validation and validity time interval
Russ Housley <housley@vigilsec.com> Wed, 27 March 2024 21:21 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF62BC15152B for <cose@ietfa.amsl.com>; Wed, 27 Mar 2024 14:21:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=vigilsec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dDHxDNd_f7GF for <cose@ietfa.amsl.com>; Wed, 27 Mar 2024 14:21:02 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CFC2C14F603 for <cose@ietf.org>; Wed, 27 Mar 2024 14:21:02 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 5D47A57D53; Wed, 27 Mar 2024 17:21:01 -0400 (EDT)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 39B5257DE9; Wed, 27 Mar 2024 17:21:01 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <7591FEF5-4A6F-40B0-8EDE-9C27D3CD5FB0@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_97DCD3A7-8B2A-4956-B781-A1FF30D016C8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Wed, 27 Mar 2024 17:20:51 -0400
In-Reply-To: <9217bf68640344eb984c8a4fab70e4c1@jhuapl.edu>
Cc: "cose@ietf.org" <cose@ietf.org>
To: "Sipos, Brian J." <Brian.Sipos@jhuapl.edu>
References: <9217bf68640344eb984c8a4fab70e4c1@jhuapl.edu>
X-Mailer: Apple Mail (2.3731.700.6)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vigilsec.com; h=from:message-id:content-type:mime-version:subject:date:in-reply-to:cc:to:references; s=pair-202402141609; bh=3l9yHkDctTQ6E7GUsLJ5WmUVJUrU/mRUVmVddASfjOk=; b=qEOqc2Tr7CpuovrfrWCr9xs3lJ0Qb9ee6q9+0QDQ/atrm9X/NT0hfTxG0pXQy5Dtrn0tsvnt/KaB1fN4LMqNGJWvPO7Xo0ijB2hkDzMA0SKgsuWjRNs5Spk6o6MrB74kgNTxaeFK/cHHd+SIhxI+QMXwEFU/reA8OLNAclPQmUMEVRcvdTn+1Gmw7rcdIvdxBOXhLS1vtgRunlN6BFvQJHtMT7cUcZDOUnv7UAXRqydqF26w76GAc6wI7YXhucDXPLiqj3E4UHOyY+SWH4F1cevWGqh/seqO6RNFxXF0M56YaWosvMVgorImZ2WoUZuuCtPnxFRn+S1qCmS+2FxVOQ==
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/-bU09-NqQomnkIeWRHkZEyP2T5w>
Subject: Re: [COSE] Certificate path validation and validity time interval
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 21:21:07 -0000
Brian: S/MIME does not use the signing time attribute as an input to certificate path validation. It is not expected to come from a trusted time source. Russ > On Mar 27, 2024, at 5:16 PM, Sipos, Brian J. <Brian.Sipos@jhuapl.edu> wrote: > > All, > I’m working an application of COSE [1] with the expectation of using X509 certificates for data signing, so using the “x5…” header parameters [2] for cert identification. This application is for store-and-forward data that may have a lifetime of days, weeks, or longer so similar to S/MIME in some aspects. > > The issue I’m running into is how to handle the validity time period of a certificate chain. Although S/MIME includes a “signing time” attribute [3] there is no guidance in that spec about if, or how, it would be used as part of PKIX validation or how to interpret or process certificate validity time intervals differently than in RFC 5280 [4], which mandates validation based on the current time. Using the current time doesn’t seem appropriate for S/MIME either, but I don’t see any alternative documented. > > Does anyone on the COSE mailing list have any thoughts or references to help me out? > Or maybe this is a better question for LAMPS WG directly? > Since COSE is intended for the store-and-forward use case, it might be a good errata to include a statement in the security considerations section..? > > Thanks, > Brian S. > > [1] https://www.ietf.org/archive/id/draft-ietf-dtn-bpsec-cose-03.html > [2] https://www.rfc-editor.org/rfc/rfc9360.html > [3] https://datatracker.ietf.org/doc/html/rfc8551#section-2.5.1 > [4] https://www.rfc-editor.org/rfc/rfc5280#section-6.1.3 > > _______________________________________________ > COSE mailing list > COSE@ietf.org <mailto:COSE@ietf.org> > https://www.ietf.org/mailman/listinfo/cose
- [COSE] Certificate path validation and validity t… Sipos, Brian J.
- Re: [COSE] Certificate path validation and validi… Russ Housley