Re: [pkix] Requesting information on Time stamp authority certificate expiry.

Anoop Gulati <anoopgulati@gmail.com> Wed, 17 January 2018 22:18 UTC

Return-Path: <anoopgulati@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D735012EA74 for <pkix@ietfa.amsl.com>; Wed, 17 Jan 2018 14:18:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0gQ3_8ZV3bUQ for <pkix@ietfa.amsl.com>; Wed, 17 Jan 2018 14:18:34 -0800 (PST)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C06AD12D856 for <pkix@ietf.org>; Wed, 17 Jan 2018 14:18:34 -0800 (PST)
Received: by mail-io0-x234.google.com with SMTP id d11so22640376iog.5 for <pkix@ietf.org>; Wed, 17 Jan 2018 14:18:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=siHSJUQjVqiyfRk2ETkKcm8S/f4QTZYrFlXn5KY4qiY=; b=c/8ITPGz3n7TMUJcf8vatyQGQXjHeJyArM/E0buV7Y/CgD9Bx/aFdXZOusRex6ZDTE KrBpj7fKIx1pRZv45XLOJxbwAossa7IsaW3cTvbNOl4s00CjT0mwKm8q09zWq9ZQ4gwG p3rILeoRJIYnwVr2vrePJydkz02SgCjLBdDtfS2zMgcDOb4JYcrhyqbMFIvoqHfoGup3 E4zgmargRzWugZRf/0zg1NUMBds1xidbwK6H0RUgDFS2jwmc0I+E6g5TKXwceKThjH5m D/QxJP2Q+skEwSHIiqwWM2JpwUrveRxuZEHMlwSSAsHcH2pbCjhhaNdLKVLfgUsOaupd lWkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=siHSJUQjVqiyfRk2ETkKcm8S/f4QTZYrFlXn5KY4qiY=; b=ZAzN3WaufpI1LdUjgLrdJNJgbnSNXr12558OzCeoBpNpLLHyVILqAmb+TGfcA1IDnY U7zqE8uv+g2sVHahOaqCDSVXD4lGF39B7sZiy/errGoblwFBplSFkngmH8OTwv5KXuqt mhyNgCfsENTzEPaTleF96cNruOheQjjbWsxcw0N+DJvFuS4VLU8vQbxw5bYHMg3tCMzA lzSyE1XcIAN8oux1GBeAcIsIRsOXMk/rgfA31fEE3WSc03mdLNYWCxNiuuow2bQv8nn+ 1gGhID8bRWBU5drhaAUQJluC/jjtGJA52YJIByGaynaI6Oa/Bvku3rnT5pdPBsQmgn1X YaZg==
X-Gm-Message-State: AKwxytfLDI73lAq0uQolT/rNytx4pyXGMF6e8ySL77nXqt9N0QB1k957 Xy0DR1Ms5QcV7mgi9eOL7qg5PrC+GwwbhvQYT9EbYQ==
X-Google-Smtp-Source: ACJfBotk9HSErOM+Ip4a4R9OeGIPoKdx73/Whxq4sTvkN7nBGChRKyMzL1G5IqWO07yyiYyaEg/QNUzQMBq7efuRukk=
X-Received: by 10.107.10.232 with SMTP id 101mr26211702iok.259.1516227513783; Wed, 17 Jan 2018 14:18:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.192.84 with HTTP; Wed, 17 Jan 2018 14:18:03 -0800 (PST)
In-Reply-To: <002c01d386a2$ee47c060$cad74120$@augustcellars.com>
References: <CAEZbcisdn226uNoG4NVv8R3rGPz7A=2PVCPR7nRbiM7Zi-UBhw@mail.gmail.com> <001901d38695$2277c500$67674f00$@augustcellars.com> <1515205633085.62626@cs.auckland.ac.nz> <002c01d386a2$ee47c060$cad74120$@augustcellars.com>
From: Anoop Gulati <anoopgulati@gmail.com>
Date: Wed, 17 Jan 2018 16:18:03 -0600
Message-ID: <CAEZbciuMv5X-nC8TwYAx2EAhOhCiW4D1o+2YqK-N420UCJDT0g@mail.gmail.com>
To: pkix@ietf.org
Content-Type: multipart/alternative; boundary="001a113ee0465b99a70563003a59"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/7PzATYjA7rKiGoy4lhQq2DCCZRs>
Subject: Re: [pkix] Requesting information on Time stamp authority certificate expiry.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2018 22:18:37 -0000

Many thanks for the responses and further explanation on the workings of
the TSA.

This poses a logistical challenge of redistributing a new signed copy of
code.
Also, apart from monitoring signing key expiration, we now also got to
monitor TSA key expiration.

I agree with your description of the TSA service, “I successfully validated
the signature on this object at time X", but apps & platforms not
acknowledging this fact post TSA key expiry is whats causing the impact.
I also agree with your point: "If there is a chain one may be able to infer
things, but changes in algorithms can kill you.", but this can be managed
as all previous alg. changes have been dealt with on an OS level.
e.g.:
https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx
.




On Fri, Jan 5, 2018 at 10:00 PM, Jim Schaad <ietf@augustcellars.com> wrote:

>
>
> > -----Original Message-----
> > From: Peter Gutmann [mailto:pgut001@cs.auckland.ac.nz]
> > Sent: Friday, January 5, 2018 6:27 PM
> > To: Jim Schaad <ietf@augustcellars.com>om>; 'Anoop Gulati'
> > <anoopgulati@gmail.com>om>; pkix@ietf.org
> > Subject: Re: [pkix] Requesting information on Time stamp authority
> > certificate expiry.
> >
> > Jim Schaad <ietf@augustcellars.com> writes:
> >
> > >The correct rule ought to be, when the TSA certificate expires the
> > >signature expires and it no longer tells you anything more.
> >
> > Just because the cert has expired doesn't mean the signature
> automatically
> > invalidates itself.  The TSA countersig still tells you that the signed
> item was
> > OK at time X, if you securely store a copy of it after the expiry time
> (or
> > countersign it yourself, or whatever) you can refer back to your
> known-good
> > copy to check that it's still OK.
>
> I was referring to the TSA signature not the original signature.  On a new
> copy you cannot assume anything.  I agree that if you securely store the
> item while it was originally good then you can still make some assumptions
> about it still being the same as it originally was.
>
>
> >
> > It's really an ecumenical matt^H^H^Hpolicy issue as to how you manage
> this.
> >
> > Peter.
>
>