[openssl-dev] Certificate Limitation Profile
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Nov 28 20:14:06 UTC 2017
On Tue, Nov 28, 2017 at 07:18:48PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> I think it makes perfect sense to sign CLP, because it allows you to
> separate trust in the server you�re downloading the content from and the
> content itself.
The problem with "data at rest" signatures is that it then becomes
difficult to ascertain freshness. How do you know that you're not
usign a much too stale version of the CLP, that fails to include a
recently deprecated trust anchor.
Therefore, one needs to be careful to not rely *solely* on the
signature of the CLP payload. It is still important to get a fresh
copy from a trusted source sufficiently often.
--
Viktor.
More information about the openssl-dev
mailing list