On Wednesday, 16 January 2019 21:25:32 CET Viktor Dukhovni wrote: > > On Jan 15, 2019, at 10:29 AM, Eliot Lear <lear@xxxxxxxxxxxxxxxxxxx> wrote: > > > > I have an application that requires long-lived signatures, perhaps long > > past the point where the signer's cert has expired. I'd like a way to > > extract the signature date from a CMS structure. With all the opaque > > structs that have been introduced in the last few releases, it's not > > clear to me how to do that. Any examples or guidance (other than don't > > do that)? > > For long-term storage, the date of interest is NOT when the object > was signed, but when it was received, verified and stored. For > that what you need is separate long-term integrity protection for > the underlying object store, separate from the origin signatures > on inbound objects, that need only be valid at time of import. alternatively, you can save all the certificates and revocation data, bind it to the original signature using a timestamp from a TSA and store that (that's necessary if you want to be able to prove to some 3rd party that you received a correctly signed document/message at that time) but that is very close to reimplementing CAdES, or related standards, and is far from simple (for one, requires adding, regularly, new timestamps to extend validity of the original signature and subsequent timestamps) -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
