Re: in the department of "ain't no perfect"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday, 16 January 2019 13:22:53 CET Eliot Lear wrote:
> Hi Hubert
> 
> On 16.01.19 12:27, Hubert Kario wrote:
> > For maintaining signatures that need to be valid long into the future
> > standards like CAdES should be used. They keep time of signing in
> > timestamps signed by trusted time-stamping authorities, along with the
> > rest of revocation data necessary to verify the original signature.
> 
> Understood.  At this point in the maturity cycle of the technology,
> we're just not there yet.  My choices are, have people ignore invalid
> signatures in their entirety or provide something more nuanced for now.

you don't have to start with implementing the full CAdES-LTA, you can start 
with just adding support for timestamping, the CAdES-T

using time from the signature to verify it is as good as ignoring the 
certificate expiration date - if you need to make the signatures verifiable 
now, do that, not use the false sense of security of using easily fakeable 
date
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux