Re: Brown draft feedback on time stamping and on criticality flags from David Solo on 1999-07-28 (w3c-ietf-xmldsig@w3.org from July to September 1999)

From: David Solo <david.solo@citicorp.com>
Date: Wed, 28 Jul 1999 17:07:18 -0400
To: tgindin@us.ibm.com
Cc: John Boyer <jboyer@uwi.com>, DSig Group <w3c-ietf-xmldsig@w3.org>
Message-Id: <199907281934.PAA05654@egate3.citicorp.com>
Just a quick comment on generalized time, etc.  (I don't recall if I'm
repeating a prior note).  This is really a canonicalization issue (hence
the tie from DER). One of the goals of those rules was that a time value
(an "instant" in time) have exactly one representation when you
calculate the signature.  This should be true even if I "decode" the
representation into a local form (e.g. Unix time) and then reencode. 
Thus, the rule that all time values are represented as Z for sig
calculation (as well as handling other equivalences).  One of the
questions I have for the XML C14n effort is whether they are similarly
addressing C14n of semantic values (data->XML) as well as XML->XML.

Dave

tgindin@us.ibm.com wrote:
> 
> "John Boyer" <jboyer@uwi.com> on 07/28/99 02:59:16 PM
> 
> To:   Tom Gindin/Watson/IBM@IBMUS
> cc:   "DSig Group" <w3c-ietf-xmldsig@w3.org>
> Subject:  RE: Brown draft feedback on time stamping and on criticality flags
> 
> Hi Tom,
> 
> Thanks.  I got the parts about UTC from the Brown draft, which includes an
> example.
> My question actually was, when one says -0500, for example, is that Eastern
> Standard Time or Central Daylight Time?  Given that many time zones contain
> regions that don't observe daylight savings time (scourge that it is), it
> seems prudent to include this information since calculations made at a later
> time by a verifier will not be sufficient if based on date calculations
> only.
> 
> [Tom Gindin]   I don't understand why it matters whether one considers 7:30 PM
> local time in the summer in Indiana as EST (Indianapolis) or CDT (Gary).  The
> date calculation will work the same way in either case.
> 
> As for the DER requiring GMT, it seems interesting that the designers of DER
> did not account for this. It still seems necessary to have the daylight
> savings time setting in effect when the user signed in order to properly
> figure out the local time (and hence possibly the local date) of when the
> signer effected the signature.
> 
> [Tom Gindin]   Frankly, I think they just wanted to specify the actual time in
> these attributes.  The locality would, if relevant, be a separate attribute.
> So, should there be a field called SigningLocation to display this?  Such a
> field would contain the Country (mandatory), StateOrProvince (optional),
> Locality (optional), Street Address (optional) and Time Zone (optional).
> 
> John Boyer
> Software Development Manager
> UWI.Com -- The Internet Forms Company
> 
> -----Original Message-----
> From: w3c-ietf-xmldsig-request@w3.org
> [mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of tgindin@us.ibm.com
> Sent: Wednesday, July 28, 1999 11:31 AM
> To: John Boyer
> Cc: Richard Brown; DSig Group
> Subject: Re: Brown draft feedback on time stamping and on criticality
> flags
> 
> "John Boyer" <jboyer@uwi.com> on 07/28/99 02:02:30 PM
> 
> To:   "Richard Brown" <rdbrown@globeset.com>
> cc:   "DSig Group" <w3c-ietf-xmldsig@w3.org>
> Subject:  Brown draft feedback on time stamping and on criticality flags
> 
> I have a copy of the Brown Draft dated 18 June 1999, which I hope is pretty
> much the latest.
> 
> It seems to be always easy to find whatever I'm looking for in this draft!
> 
> Regarding criticality flags in the attributes, I seem to recall there being
> a fair bit of aversion at and around the initial workshop on whether we
> should have criticality flags.  The persons who expressed this opinion
> seemed to have a great deal of experience with prior security protocols.
> What were the problems, and have they been overcome?  Since the criticality
> flags are either still included or have returned (I don't know which), I
> assume there was a resolution.  What was it?
> 
> Regarding time/date stamping, it follows some ISO standard I don't have
> (URL?), but that standard doesn't seem to include information on whether or
> not the signer uses daylight savings time.  (Not that the verifier should
> trust signer time settings).  Perhaps UTC time is different from GMT, but
> whenever we go on daylight savings time here on the Pacific Coast, our
> offset changes from 0800 to 0700 relative to GMT.  Does the same thing
> happen with UTC?  If so, it could make things a fair bit easier for
> programmers (very many of whom don't know about this little hiccup) to
> produce the correct local time.
> 
> [Tom Gindin]   The ASN.1 UTC and GeneralizedTime formats both include a time
> zone indicator: Z for GMT, +hhmm for east of GMT, -hhmm for west of GMT
> (-0700
> for Pacific Daylight Time and -0800 for PST, for example).  However, the DER
> encoding requires that you use GMT specifically.
> 
> Thanks,
> John Boyer
> Software Development Manager
> UWI.Com -- The Internet Forms Company
Received on Wednesday, 28 July 1999 17:08:02 UTC