Re: [lamps] Review comment from the AD
Jim Schaad <ietf@augustcellars.com> Wed, 27 September 2017 22:04 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0996135145 for <spasm@ietfa.amsl.com>; Wed, 27 Sep 2017 15:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=augustcellars.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8TNEjv3WZgUU for <spasm@ietfa.amsl.com>; Wed, 27 Sep 2017 15:04:27 -0700 (PDT)
Received: from mail4.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E912113513B for <spasm@ietf.org>; Wed, 27 Sep 2017 15:04:26 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; d=augustcellars.com; s=winery; c=simple/simple; t=1506549816; h=from:subject:to:date:message-id; bh=Le8Lqc6knQS8xSucrdaTTDUVqWlgvffjkd+OW+OG8Sk=; b=Hy8qTJkr7CVnvJpoPdoZZo0CXo1vt9I7pWwQuKZlna2TfaTcpHoCucC1H9RxFUxabj7YlT4nY0x MLfSimA3MFts300Hg3BsHFjEHjnouhnA9vT0X7RMoSX8XOY7Z2nFWo5yeOsCYflOYSAw8RRVaCNmn k8oQykck1SMN06sRTMypQwKEVEoTp3TzxhezT3MSpKc6XtcfhBNp81Cj4FB6Z0c/CjmVJmDQOA0lU vPhRuC9wdbESVhKrvnrRRR6Xpnd8jlhsShmQ+I/vBsZULKr59zx2iNVkVXPb9T61MkcZh3NlGI3qV dxSupj4aBCNykAnBUxg7AHfQE6Ed2YsepIZw==
Received: from mail2.augustcellars.com (192.168.1.201) by mail4.augustcellars.com (192.168.1.153) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 27 Sep 2017 15:03:35 -0700
Received: from Hebrews (192.168.1.162) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 27 Sep 2017 15:03:33 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Russ Housley' <housley@vigilsec.com>
CC: 'SPASM' <spasm@ietf.org>
References: <024101d337c0$2069f5e0$613de1a0$@augustcellars.com> <6EC17286-BCA3-4C56-80A6-EEA8279ED5D6@vigilsec.com>
In-Reply-To: <6EC17286-BCA3-4C56-80A6-EEA8279ED5D6@vigilsec.com>
Date: Wed, 27 Sep 2017 15:04:16 -0700
Message-ID: <025901d337dc$917e6970$b47b3c50$@augustcellars.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQFqoV8vTefs2ccFBFEHtScvSvY/6QIgZvajo4ly8GA=
X-Originating-IP: [192.168.1.162]
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/VMeSflodXI7MrQQuRZ8WXmEaGo8>
Subject: Re: [lamps] Review comment from the AD
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Sep 2017 22:04:29 -0000
Yes, but if the time-stamp authority has been compromised, then it is no longer a good authority. So perhaps some extra guidance is needed about doing two checks or something. Jim > -----Original Message----- > From: Russ Housley [mailto:housley@vigilsec.com] > Sent: Wednesday, September 27, 2017 11:56 AM > To: Jim Schaad <ietf@augustcellars.com> > Cc: SPASM <spasm@ietf.org> > Subject: Re: [lamps] Review comment from the AD > > I think this text was supposed to say that SigningTime is the clock value of the > signer, which might be very wrong. One might rely on a time-stamp > authority [RFC3161], if there is a valid attribute from one in the message. > Otherwise, the time that the message arrived in your mailbox is the best > guess that you have. > > Russ > > > > On Sep 27, 2017, at 2:40 PM, Jim Schaad <ietf@augustcellars.com> wrote: > > > > I have one review comment from EKR on rfc5750bis that I am not sure > > what to do with. > > > > The following paragraph from Section 6 - Security Considerations > > > > When determining the time for a certificate validity check, agents > > have to be careful to use a reliable time. Unless it is from a > > trusted agent, this time MUST NOT be the SigningTime attribute found > > in an S/MIME message. For most sending agents, the SigningTime > > attribute could be deliberately set to direct the receiving agent to > > check a CRL that could have out-of-date revocation status for a > > certificate, or cause an improper result when checking the Validity > > field of a certificate. > > > > The problem is two-fold: > > 1. Should the definition of trusted agent be expanded to be more > > clear, and 2. Should that sentence just be deleted because, even if it > > is a trusted agent, a compromised key is going to be able to lie about the > time anyway. > > > > My memory was that this text was supposed to deal with things like > > time-stamp agents where the time was significant, but it could be wrong. > > > > Jim > > > > > > _______________________________________________ > > Spasm mailing list > > Spasm@ietf.org > > https://www.ietf.org/mailman/listinfo/spasm
- [lamps] Review comment from the AD Jim Schaad
- Re: [lamps] Review comment from the AD Russ Housley
- Re: [lamps] Review comment from the AD Jim Schaad
- Re: [lamps] Review comment from the AD Russ Housley
- Re: [lamps] Review comment from the AD Jim Schaad