[openssl-dev] Certificate Limitation Profile

[Viktor Dukhovni]

On Tue, Nov 28, 2017 at 07:18:48PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:

> I think it makes perfect sense to sign CLP, because it allows you to
> separate trust in the server you�re downloading the content from and the
> content itself.

The problem with "data at rest" signatures is that it then becomes
difficult to ascertain freshness.  How do you know that you're not
usign a much too stale version of the CLP, that fails to include a
recently deprecated trust anchor.

Therefore, one needs to be careful to not rely *solely* on the
signature of the CLP payload.  It is still important to get a fresh
copy from a trusted source sufficiently often.

-- 
	Viktor.