On 9/12/13 3:02 AM, Masataka Ohta wrote:
> Phillip Hallam-Baker wrote:
>
>> 3) A relying party thus requires a demonstration that is secure against a
>> replay attack from one or more trusted parties to be assured that the time
>> assertion presented is current but this need not necessarily be the same as
>> the source of the signed time assertion itself.
>
>> The real design decision is who you decide you are going to rely on for
>> (3). TLS is proof against replay attack due to the exchange of nonces.
>
> How can you get secure time to securely confirm that a certificate
> of TLS has not expired?
>
> Use yet another PKI?
>
> Masataka Ohta
>
No, you have your own clock.
.as