Re: Validation of signatures? from Ed Simon on 2002-06-28 (www-xkms@w3.org from June 2002)

From: Ed Simon <edsimon@xmlsec.com>
Date: Fri, 28 Jun 2002 09:04:36 -0400
To: <stef.hoeben@utimaco.be>
Cc: <www-xkms@w3.org>
Message-ID: <001201c21ea4$5c09ef60$f2a0fea9@DJQC7111>
Stef wrote:

> Could you tell me is it ("checking if a cert is valid some
> > time ago"-ed.) is possible to do the above using
> the current XKMS 'Validate) service(s)?

Yes, I would say it is.  You can use the Validate service for the
certificate in question and the Validate service can choose to return a
status code of Invalid with a <ValidityInterval> element indicating the
certificate has already expired and when that happened.

Stef wrote:
> If you doubt if an XKMS service should provide it, do you mean
> that the client should do all the work, of that it should not
> be part of XKMS?

I'm not making any statement on whether an XKMS service should or should not
provide such functionality; that decision is really up to the business model
of the particular XKMS service and is completely outside the scope of the
spec.  What the spec does say is
  "If the Reason code ValidityInterval is returned with a Status code of
Invalid additional information MAY be provided in the <ValidityInterval>
element of the KeyBinding. If only the NotOnOrAfter attribute is specified
it indicates that the specified time instant is before the credential became
valid. If only the NotAfter attribute is specified it indicates that either
the credential expired or was revoked. If both the NotOnOrAfter and NotAfter
attributes are specified it is likely that the credential was suspended and
MAY be reinstated at a later time."

So in summary, XKMS does enable the functionality you describe but does not
mandate it.  The good news is that if an XKMS service does not provide the
service then it is easy for the client to determine that.  I do not really
see how the client would "do all the work" if it needs to deal with one or
more XKMS services that do not provide validity intervals for expired
certificates.  It seems to me that would require the client to ping the XKMS
Validate service for all certificates that the client might ever need to use
before any of those certificates have a chance to expire, which does not
seem very practical to me.

Regard, Ed
----------------------------------------------------------------------------
-------------------------------------------
Ed Simon
<edsimon@xmlsec.com>
(613) 726-9645
XMLsec Inc.

Interested in XML Security Training and Consulting services?  Visit
"www.xmlsec.com".

>
> > ... checking and so on.  As well, XKMS could be used as the
> > basis for such things as "checking if a cert is valid some
> > time ago" though I can't say if that type of functionality
> > would necessarily be provided by an XKMS service provider.
>
> Could you tell me is it is possible to do the above using
> the current XKMS 'Validate) service(s)?
>
> If you doubt if an XKMS service should provide it, do you mean
> that the client should do all the work, of that it should not
> be part of XKMS?
>
> Thanks, Stef
>
>
>
Received on Friday, 28 June 2002 09:01:44 UTC