[openssl-users] in the department of "ain't no perfect"

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jan 16 20:25:32 UTC 2019

> On Jan 15, 2019, at 10:29 AM, Eliot Lear <lear at ofcourseimright.com> wrote:
> I have an application that requires long-lived signatures, perhaps long
> past the point where the signer's cert has expired.  I'd like a way to
> extract the signature date from a CMS structure.  With all the opaque
> structs that have been introduced in the last few releases, it's not
> clear to me how to do that.  Any examples or guidance (other than don't
> do that)?

I doubt this has anything to do with opaque structures.  The real
issue here is that IIRC CMS (previously known as PKCS7) has no
signature date.  It just has to be signed data and a signature,
with an X.509 certificate that has an expiration.

For long-term storage, the date of interest is NOT when the object
was signed, but when it was received, verified and stored.  For
that what you need is separate long-term integrity protection for
the underlying object store, separate from the origin signatures
on inbound objects, that need only be valid at time of import.

Indeed with content that's also encrypted, you'll typically want
to immediately decrypt it, decoupling it from a comparatively
short-lived inbound encryption public key, and re-encrypt for
storage under a key that is managed as part of the object store.

The naïve model of using the signer and recipient keys as long-term
verification and decryption keys is deeply flawed for data retention.
This is a bit part of the reason why end-to-end email encryption has
negligible adoption, the storage infrastructure to make it usable was
never built.


More information about the openssl-users mailing list