Re: [pkix] Requesting information on Time stamp authority certificate expiry.

Jim Schaad <ietf@augustcellars.com> Sat, 06 January 2018 04:00 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1236B1242EA for <pkix@ietfa.amsl.com>; Fri, 5 Jan 2018 20:00:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XtxafsK98F8u for <pkix@ietfa.amsl.com>; Fri, 5 Jan 2018 20:00:51 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37EF01200C1 for <pkix@ietf.org>; Fri, 5 Jan 2018 20:00:51 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 5 Jan 2018 19:59:20 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Peter Gutmann' <pgut001@cs.auckland.ac.nz>, 'Anoop Gulati' <anoopgulati@gmail.com>, <pkix@ietf.org>
References: <CAEZbcisdn226uNoG4NVv8R3rGPz7A=2PVCPR7nRbiM7Zi-UBhw@mail.gmail.com>, <001901d38695$2277c500$67674f00$@augustcellars.com> <1515205633085.62626@cs.auckland.ac.nz>
In-Reply-To: <1515205633085.62626@cs.auckland.ac.nz>
Date: Fri, 5 Jan 2018 20:00:43 -0800
Message-ID: <002c01d386a2$ee47c060$cad74120$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQH3iw0DpJOO6sVZAPQvik52kS602wDGSlwJAZAnu+mjC3vVMA==
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/MsTmx8Vv1cacCwkpIb-PV7QeWeU>
Subject: Re: [pkix] Requesting information on Time stamp authority certificate expiry.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jan 2018 04:00:53 -0000


> -----Original Message-----
> From: Peter Gutmann [mailto:pgut001@cs.auckland.ac.nz]
> Sent: Friday, January 5, 2018 6:27 PM
> To: Jim Schaad <ietf@augustcellars.com>om>; 'Anoop Gulati'
> <anoopgulati@gmail.com>om>; pkix@ietf.org
> Subject: Re: [pkix] Requesting information on Time stamp authority
> certificate expiry.
> 
> Jim Schaad <ietf@augustcellars.com> writes:
> 
> >The correct rule ought to be, when the TSA certificate expires the
> >signature expires and it no longer tells you anything more.
> 
> Just because the cert has expired doesn't mean the signature automatically
> invalidates itself.  The TSA countersig still tells you that the signed
item was
> OK at time X, if you securely store a copy of it after the expiry time (or
> countersign it yourself, or whatever) you can refer back to your
known-good
> copy to check that it's still OK.

I was referring to the TSA signature not the original signature.  On a new
copy you cannot assume anything.  I agree that if you securely store the
item while it was originally good then you can still make some assumptions
about it still being the same as it originally was.


> 
> It's really an ecumenical matt^H^H^Hpolicy issue as to how you manage
this.
> 
> Peter.