[openssl-users] in the department of "ain't no perfect"

Hubert Kario hkario at redhat.com
Thu Jan 17 16:29:53 UTC 2019


On Wednesday, 16 January 2019 21:25:32 CET Viktor Dukhovni wrote:
> > On Jan 15, 2019, at 10:29 AM, Eliot Lear <lear at ofcourseimright.com> wrote:
> > 
> > I have an application that requires long-lived signatures, perhaps long
> > past the point where the signer's cert has expired.  I'd like a way to
> > extract the signature date from a CMS structure.  With all the opaque
> > structs that have been introduced in the last few releases, it's not
> > clear to me how to do that.  Any examples or guidance (other than don't
> > do that)?
> 
> For long-term storage, the date of interest is NOT when the object
> was signed, but when it was received, verified and stored.  For
> that what you need is separate long-term integrity protection for
> the underlying object store, separate from the origin signatures
> on inbound objects, that need only be valid at time of import.

alternatively, you can save all the certificates and revocation data, bind it 
to the original signature using a timestamp from a TSA and store that (that's 
necessary if you want to be able to prove to some 3rd party that you received 
a correctly signed document/message at that time)

but that is very close to reimplementing CAdES, or related standards, and is 
far from simple (for one, requires adding, regularly, new timestamps to extend 
validity of the original signature and subsequent timestamps)

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190117/e16c8353/attachment.sig>


More information about the openssl-users mailing list