Re: [pkix] Requesting information on Time stamp authority certificate expiry.

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 06 January 2018 02:27 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2D91241F8 for <pkix@ietfa.amsl.com>; Fri, 5 Jan 2018 18:27:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uT2CAeV1sLRG for <pkix@ietfa.amsl.com>; Fri, 5 Jan 2018 18:27:27 -0800 (PST)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0F7612778D for <pkix@ietf.org>; Fri, 5 Jan 2018 18:27:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1515205629; x=1546741629; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=g+Be/Hvrzni9aGRDP2fBx+MJRtfk1EvrnYF+tvcTowE=; b=aEDCvpAz10o/7ED9UZ/GcN5hnRC+p2jXWtaVd/O8DN/swiWgwHNAvXvf fZrpqx5SYfaxVVkr2KOvgII8k3IL2sXHFKdCIJFza60kMdaSO6ucEhVti IzM9apUmCRxRJnIGm6mLgi3cx54PpnNelp79ksyA+0jsZMWLwA7NwE52J iVce1EfjuTh5ISMSpEtEuX8FWus+0HTYydmilZjl9kH6wO59uH9A91LvP tQCsY6fI6IFwO8QhxGZqWvA9rCUm2WE+nSmkvBKL/sOZByu75Uvsy6DVi 1vQKpjxitBKea9L8k5uc3su91EHfme2sl3pf9jAdo3RP9k9NdeuhqKu3S Q==;
X-IronPort-AV: E=Sophos;i="5.46,320,1511780400"; d="scan'208";a="207867463"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.9 - Outgoing - Outgoing
Received: from uxcn13-tdc-e.uoa.auckland.ac.nz ([10.6.3.9]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 06 Jan 2018 15:27:06 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-e.UoA.auckland.ac.nz (10.6.3.9) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sat, 6 Jan 2018 15:27:22 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Sat, 6 Jan 2018 15:27:22 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Jim Schaad <ietf@augustcellars.com>, 'Anoop Gulati' <anoopgulati@gmail.com>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] Requesting information on Time stamp authority certificate expiry.
Thread-Index: AQHThYkNDtSdVKbZVEOfWrS299snPaNlRTwAgADbRq8=
Date: Sat, 6 Jan 2018 02:27:21 +0000
Message-ID: <1515205633085.62626@cs.auckland.ac.nz>
References: <CAEZbcisdn226uNoG4NVv8R3rGPz7A=2PVCPR7nRbiM7Zi-UBhw@mail.gmail.com>, <001901d38695$2277c500$67674f00$@augustcellars.com>
In-Reply-To: <001901d38695$2277c500$67674f00$@augustcellars.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/W5_7XQQwPz6nGTB5IbXirihcjgc>
Subject: Re: [pkix] Requesting information on Time stamp authority certificate expiry.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jan 2018 02:27:29 -0000

Jim Schaad <ietf@augustcellars.com> writes:

>The correct rule ought to be, when the TSA certificate expires the signature
>expires and it no longer tells you anything more.

Just because the cert has expired doesn't mean the signature automatically
invalidates itself.  The TSA countersig still tells you that the signed item
was OK at time X, if you securely store a copy of it after the expiry time (or
countersign it yourself, or whatever) you can refer back to your known-good
copy to check that it's still OK.

It's really an ecumenical matt^H^H^Hpolicy issue as to how you manage this.

Peter.