W3C home > Mailing lists > Public > www-ws@w3.org > April 2002

RE: Web Services - Non-repudiation

From: Joseph Hui <jhui@digisle.net>
Date: Wed, 24 Apr 2002 10:38:42 -0700
Message-ID: <C153D39717E5F444B81E7B85018A460B081B27CB@ex-sj-5.digisle.com>
To: "Srinivas Cheruku" <csri@sonata-software.com>, <www-ws@w3.org>

As far as non-repudiation goes, the receiver should check
the "validity" field (or "expiry" as you chose to call it) of 
the signer's certificate against real time, because timestamps
can be faked, say by the signer of an expired/revoked cert.

I think of interest to you as an implementer/developer is that
using timestamps for the purpose of proving DS ownership 
(e.g. the signer's private key was not stolen at the time the
document was signed) requires the support of a massive infrastructure.
Besides, there is always a window between the time when a private
key is compromised and the time when the associated certificate
is revoked, which an attacker can slip through.  

You may find the challenge-response approach a far more viable
alternative to timestamping for validating whether the message
signer/sender is indeed the rightful owner of the cert
(which contains or leads you to the public key of the signer).
Of course, you still have to check the cert against the
CRL (i.e. Certificate Revocation List) and the cert's
validity against real time.

Note that things get complicated when an XML message contains
multiple elements signed by multiple cert holders.  That is,
the challenge-response approach doesn't scale well for 
multi-signer messages.

Good luck,

Joe Hui
Exodus, a Cable & Wireless service

> -----Original Message-----
> From: Srinivas Cheruku [mailto:csri@sonata-software.com]
> Sent: Tuesday, April 23, 2002 10:07 PM
> To: www-ws@w3.org
> Cc: Srinivas Cheruku
> Subject: Web Services - Non-repudiation
> Hi,
> I want to implement all the core requirements of security like
> Authentication, Authorization, Privacy, Integrity and Non-repudiation.
> From the search on the web, for acheiving Non-repudiation we 
> can make use of
> XML Digital Signatures.
> But, i didnot find any information regarding the 
> timestamping. XML Digital
> Signatures can prove the source of origin but how can we take 
> care of Time
> Stamping so that we can prove that the sender as digitally 
> signed before the
> expiry or revoking of his certificate.
> If i am wrong, please guiding me for acheiving non-repudiation in web
> services.
> Many Thanks and regards,
> Srini
> *********************************************************************
> Disclaimer: The information in this e-mail and any attachments is
> confidential / privileged. It is intended solely for the addressee or
> addressees. If you are not the addressee indicated in this 
> message, you may
> not copy or deliver this message to anyone. In such case, you 
> should destroy
> this message and kindly notify the sender by reply email. 
> Please advise
> immediately if you or your employer does not consent to 
> Internet email for
> messages of this kind.
> *********************************************************************
Received on Wednesday, 24 April 2002 13:39:07 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:37:07 UTC