[openssl-users] in the department of "ain't no perfect"

Hubert Kario hkario at redhat.com
Wed Jan 16 14:46:40 UTC 2019

On Wednesday, 16 January 2019 13:22:53 CET Eliot Lear wrote:
> Hi Hubert
> On 16.01.19 12:27, Hubert Kario wrote:
> > For maintaining signatures that need to be valid long into the future
> > standards like CAdES should be used. They keep time of signing in
> > timestamps signed by trusted time-stamping authorities, along with the
> > rest of revocation data necessary to verify the original signature.
> Understood.  At this point in the maturity cycle of the technology,
> we're just not there yet.  My choices are, have people ignore invalid
> signatures in their entirety or provide something more nuanced for now.

you don't have to start with implementing the full CAdES-LTA, you can start 
with just adding support for timestamping, the CAdES-T

using time from the signature to verify it is as good as ignoring the 
certificate expiration date - if you need to make the signatures verifiable 
now, do that, not use the false sense of security of using easily fakeable 
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190116/6e474714/attachment.sig>

More information about the openssl-users mailing list