[COSE] Certificate path validation and validity time interval
"Sipos, Brian J." <Brian.Sipos@jhuapl.edu> Wed, 27 March 2024 21:16 UTC
Return-Path: <Brian.Sipos@jhuapl.edu>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 207D1C14CEFA for <cose@ietfa.amsl.com>; Wed, 27 Mar 2024 14:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhuapl.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hkd21BeySwLg for <cose@ietfa.amsl.com>; Wed, 27 Mar 2024 14:16:28 -0700 (PDT)
Received: from aplegw01.jhuapl.edu (aplegw01.jhuapl.edu [128.244.251.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0ECA0C14F6B3 for <cose@ietf.org>; Wed, 27 Mar 2024 14:16:27 -0700 (PDT)
Received: from pps.filterd (aplegw01.jhuapl.edu [127.0.0.1]) by aplegw01.jhuapl.edu (8.17.1.19/8.17.1.19) with ESMTP id 42RIjD5v023927 for <cose@ietf.org>; Wed, 27 Mar 2024 17:16:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhuapl.edu; h=from : to : subject : date : message-id : content-type : mime-version; s=JHUAPLDec2018; bh=p+uhWomTuni2EvRBuq2YKvgzde7Byz1ggFeDmxSwhc8=; b=KEDcWLDvXi3sRo2EgwkP653ozdbx0fpw6o3JLCWfGrwkBrfckATJMoNM8d/9V3Zc1tUw 10vHguC5uWCYsKCAon00soH4zTQ/CkEzQ6hwqDMNHQ/XzZP69hhYHezTI5Q4QA4iguv9 BxYf2LiLeMEJ/RICtputGHXMIYuheBBbP2TvniTRtJfvefr1fdIzC/flkKXehMlUVoZz iNJKwX8ufeeJ01k4sWwTIyc8bqfzAxSnlsbhSV1zSdYhxgB+BgnYKqix5vJP9NLwLBT0 773wr1XlSTKoxHcDbA024sOeIr2Pjauxgtbp8kzwbwkMbdB6FPOc+dRFwuxV8rhmtcvO 2g==
Received: from aplex27.dom1.jhuapl.edu (aplex27.dom1.jhuapl.edu [10.114.162.12]) by aplegw01.jhuapl.edu (PPS) with ESMTPS id 3x1r4ard02-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <cose@ietf.org>; Wed, 27 Mar 2024 17:16:26 -0400
Received: from APLEX21.dom1.jhuapl.edu (10.114.162.6) by APLEX27.dom1.jhuapl.edu (10.114.162.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Wed, 27 Mar 2024 17:16:26 -0400
Received: from APLEX21.dom1.jhuapl.edu ([fe80::20d7:9545:f01e:9b2]) by APLEX21.dom1.jhuapl.edu ([fe80::20d7:9545:f01e:9b2%5]) with mapi id 15.02.1544.004; Wed, 27 Mar 2024 17:16:26 -0400
From: "Sipos, Brian J." <Brian.Sipos@jhuapl.edu>
To: "cose@ietf.org" <cose@ietf.org>
Thread-Topic: Certificate path validation and validity time interval
Thread-Index: AdqAiLrGF6kYRZXjS8+L7x0Zq3h2Aw==
Date: Wed, 27 Mar 2024 21:16:26 +0000
Message-ID: <9217bf68640344eb984c8a4fab70e4c1@jhuapl.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.162.19]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_01EF_01DA806A.7F636500"
MIME-Version: 1.0
X-CrossPremisesHeadersFilteredBySendConnector: APLEX27.dom1.jhuapl.edu
X-OrganizationHeadersPreserved: APLEX27.dom1.jhuapl.edu
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-27_18,2024-03-27_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/DfJrw7m9rw-l77TvpRSOUfNu6nc>
Subject: [COSE] Certificate path validation and validity time interval
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 21:16:32 -0000
All, I'm working an application of COSE [1] with the expectation of using X509 certificates for data signing, so using the "x5." header parameters [2] for cert identification. This application is for store-and-forward data that may have a lifetime of days, weeks, or longer so similar to S/MIME in some aspects. The issue I'm running into is how to handle the validity time period of a certificate chain. Although S/MIME includes a "signing time" attribute [3] there is no guidance in that spec about if, or how, it would be used as part of PKIX validation or how to interpret or process certificate validity time intervals differently than in RFC 5280 [4], which mandates validation based on the current time. Using the current time doesn't seem appropriate for S/MIME either, but I don't see any alternative documented. Does anyone on the COSE mailing list have any thoughts or references to help me out? Or maybe this is a better question for LAMPS WG directly? Since COSE is intended for the store-and-forward use case, it might be a good errata to include a statement in the security considerations section..? Thanks, Brian S. [1] https://www.ietf.org/archive/id/draft-ietf-dtn-bpsec-cose-03.html [2] https://www.rfc-editor.org/rfc/rfc9360.html [3] https://datatracker.ietf.org/doc/html/rfc8551#section-2.5.1 [4] https://www.rfc-editor.org/rfc/rfc5280#section-6.1.3
- [COSE] Certificate path validation and validity t… Sipos, Brian J.
- Re: [COSE] Certificate path validation and validi… Russ Housley