[pkix] cross posting from LTANS: request for feedback/input on validate: verification data to store for signature verification after 50 years?
Tobias Gondrom <tobias.gondrom@gondrom.org> Mon, 26 July 2010 09:06 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: pkix@core3.amsl.com
Delivered-To: pkix@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1A6423A6AEE for <pkix@core3.amsl.com>; Mon, 26 Jul 2010 02:06:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.503
X-Spam-Level:
X-Spam-Status: No, score=-95.503 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, GB_I_INVITATION=-2, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hkY304Ci9Aqr for <pkix@core3.amsl.com>; Mon, 26 Jul 2010 02:06:26 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by core3.amsl.com (Postfix) with ESMTP id B4D173A6AD7 for <pkix@ietf.org>; Mon, 26 Jul 2010 02:06:25 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=pzhwPCyHt/KlANykwYbIopaFMVQ0lIaz7feBN+dz2zNR8nBriJfiZLnmBfBNdhvu7N+5DkTB2lsub9HLV1vyYWTEACY/GHJfMTIZGxgB6lIKa2nYe7VbJPbOGWY/XDtR; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:X-Priority:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 20181 invoked from network); 26 Jul 2010 11:05:35 +0200
Received: from dhcp-84ce.meeting.ietf.org (HELO ?130.129.132.206?) (130.129.132.206) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 26 Jul 2010 11:05:35 +0200
Message-ID: <4C4D4FE4.5020801@gondrom.org>
Date: Mon, 26 Jul 2010 10:05:40 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.1.10) Gecko/20100520 SUSE/3.0.5 Lightning/1.0b1 Thunderbird/3.0.5
MIME-Version: 1.0
To: pkix@ietf.org
X-Priority: 4 (Low)
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [pkix] cross posting from LTANS: request for feedback/input on validate: verification data to store for signature verification after 50 years?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2010 09:06:29 -0000
Hello dear PKIX fellows, one quick invitation for input from PKIX on this: http://tools.ietf.org/html/draft-ietf-ltans-validate-03 A number of people and regulatory bodies have asked "what verification data do you need to store today to verify a signature in the future for a potentially unlimited time - e.g. think of 50 years later (when trust centers and OCSP responders may have gone silent)? (of course used crypto algorithms in the signatures are renewed by using LTANS:ERS/XMLERS)" So as one last minor item of LTANS (before we finally close it down in a few months) we looked at one last informational draft "validate" to answer that with some recommendations. For example one of the questions is: - is the package of the whole cert chain up to root of used signatures and CRL/OCSPs sufficient, or do you also need to store the whole cert chain up to the root for all signatures in the CRL/OCSP responses and timestamp servers,especially in the case of published trust centres. And to put this further: do you also need to store the OCSP for all used certs in the OCSPs - layer model vs. chain model for verification We thought probably PKIX has already discussed parts of this problem in the context of verification, in which case we would like to use the input (or drop the validate-draft in total). FYI: LTANS meets on Friday 1300-1400 in 0.4 Brussels. (input and discussion is very welcome then and on the mailing-list). Many greetings, Tobias (co-chair of LTANS) Tobias Gondrom Sloan Fellowship 2009 London Business School email: tobias.gondrom@gondrom.org mobile: +447521003005
- [pkix] cross posting from LTANS: request for feed… Tobias Gondrom