[openssl-users] in the department of "ain't no perfect"
Hubert Kario
hkario at redhat.com
Wed Jan 16 14:46:40 UTC 2019
On Wednesday, 16 January 2019 13:22:53 CET Eliot Lear wrote:
> Hi Hubert
>
> On 16.01.19 12:27, Hubert Kario wrote:
> > For maintaining signatures that need to be valid long into the future
> > standards like CAdES should be used. They keep time of signing in
> > timestamps signed by trusted time-stamping authorities, along with the
> > rest of revocation data necessary to verify the original signature.
>
> Understood. At this point in the maturity cycle of the technology,
> we're just not there yet. My choices are, have people ignore invalid
> signatures in their entirety or provide something more nuanced for now.
you don't have to start with implementing the full CAdES-LTA, you can start
with just adding support for timestamping, the CAdES-T
using time from the signature to verify it is as good as ignoring the
certificate expiration date - if you need to make the signatures verifiable
now, do that, not use the false sense of security of using easily fakeable
date
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190116/6e474714/attachment.sig>
More information about the openssl-users
mailing list