[pkix] Requesting information on Time stamp authority certificate expiry.

Anoop Gulati <anoopgulati@gmail.com> Thu, 04 January 2018 18:22 UTC

Return-Path: <anoopgulati@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5ABF129C6C for <pkix@ietfa.amsl.com>; Thu, 4 Jan 2018 10:22:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8hPtYAzWmOHj for <pkix@ietfa.amsl.com>; Thu, 4 Jan 2018 10:22:47 -0800 (PST)
Received: from mail-ua0-x235.google.com (mail-ua0-x235.google.com [IPv6:2607:f8b0:400c:c08::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36A3D126E64 for <pkix@ietf.org>; Thu, 4 Jan 2018 10:22:47 -0800 (PST)
Received: by mail-ua0-x235.google.com with SMTP id e39so1643522uae.12 for <pkix@ietf.org>; Thu, 04 Jan 2018 10:22:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=+yifRLS6Vos06SaJ+mVtjKCrvc0I1Qiz6RkDP34Szm8=; b=h1BcjisPaWjW+yPVGgjarTxudzTkkzNb5a7Grya5jprM9G76M+q+mGyIx3lHmjdbnU 9zXiIqqz0wJo2omeeHMLqaeFgErdCN0Mc8wxkFL4XDmYAr6fnn3nDsV2BZwg2VVb2/dQ cA6jQwgQCdn59OF/IGXbLQW2SLJxcZD2peaLtyyT00qsvVrHgFonKfUPVstpd7TXBCkI wyopHAG5ARFy9ncX05PMW0Nohf+r/zTJcb2zoq79PRE7L0IX7DHrp9YE7BU6zBygnVtr Hz7CFljrnGpu4+M0bK0xp17vRJ13/twiHm6EP6keoZLYeaYP2Q3DPSKnbnGfKO4ju8OT tbMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=+yifRLS6Vos06SaJ+mVtjKCrvc0I1Qiz6RkDP34Szm8=; b=dXklq1Fh4zn+d6qQK5zhVB+GrijvPf7t9E6nmSN5Jbq2UUkbJB8TmbX+M5z1yCIaHR rBXRvRCbnhDGXCG+O0+7mo9wZCCXSZTf8v6XgwZiNDbTRDCOGWdB4A75d5iiWeOFDDC7 lOEa4fUMmE30iRJrO3uBwKs/rHRVVnUauVR9EU5a3GW0AV377JBo2L4MyWkgT3lnfdsX RE1SR0+rj8VHMGGCGN453Il0LNLolPzF3sB0XNKptS4p44fbq5TAnYn0wd+N6ZQUoVjP uuYYjXW5raP0myr9s26w7TPM/r59O19lGGq0GwNXz9HhSBshRTb6QMo1XxdNG6spJS/E +1Ow==
X-Gm-Message-State: AKwxytdKnCVDSjFsH9vdNxSe+lp6DHui7GqoZjpbhnmzm0AgBY4+3OQ+ j79YrxVnEc3GeplBPND/uoWeAgqlcarX4VrWCrM=
X-Google-Smtp-Source: ACJfBouqcXFp9+q5UjXHDDTkBAvGUlhAo/EJ1fn99cqOt0f2yax3eFKqCPC+NYLgKLOgVc+kOGIRQXb9J2Cq+sL/mS4=
X-Received: by 10.159.46.18 with SMTP id t18mr462706uaj.91.1515090166008; Thu, 04 Jan 2018 10:22:46 -0800 (PST)
MIME-Version: 1.0
Received: by 10.176.12.12 with HTTP; Thu, 4 Jan 2018 10:22:15 -0800 (PST)
From: Anoop Gulati <anoopgulati@gmail.com>
Date: Thu, 4 Jan 2018 12:22:15 -0600
Message-ID: <CAEZbcisdn226uNoG4NVv8R3rGPz7A=2PVCPR7nRbiM7Zi-UBhw@mail.gmail.com>
To: pkix@ietf.org
Content-Type: multipart/alternative; boundary="089e08243aac25d0ed0561f76b80"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/VUWUO-x80QzhN813f2D7KI9RhCo>
Subject: [pkix] Requesting information on Time stamp authority certificate expiry.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jan 2018 18:22:49 -0000

Hi Team,
Happy 2018!

I'm requesting some clarification on the status of a timestamped signature
when the timestamp authority (TSA) certificate expires.

My understanding is timestamp is applied to a digital signature to ensure
the digital signature continues to stay valid past the lifetime of the
signing certificate.
RFC 3161, in section 4.3 briefly talks about TSA certificate lifetimes but
it does not clarify the situation of a natural TSA certificate expiry.

We recently experienced an enterprise-wide outage when java started to
error out on a signed & timestamped jar file when the TSA certificate
expired.
Windows, on the other hand does not error out on signed & timestamped files
on TSA certificate expiry.

So, it seems like, even implementation between platforms is not consistent.
Hence I'm writing to understand how expiry of a TSA certificate impacts
existing signed and timestamped files.
Sincere apologies in advance if this is not the right platform to discuss
this, I was not able to find a working group specifically for digital
timestamp & TSAs.

Thanks,

Anoop