ACTION 167 from Juan Carlos Cruellas on 2008-06-17 (public-xmlsec-maintwg@w3.org from June 2008)

From: Juan Carlos Cruellas <cruellas@ac.upc.edu>
Date: Tue, 17 Jun 2008 14:51:30 +0200
To: XMLSec <public-xmlsec-maintwg@w3.org>
Message-ID: <4857B352.4010606@ac.upc.edu>

Dear all,

As per action 167, below follows the text for 2.4.3 Use Timestamps 
tokens issued by Timestamp authorities for long lived signatures 
<http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/#timestamps>


"ETSI has produced TS 101 903: "XML Advanced Electronic Signatures 
(XAdES)", which among other ones, deals with the issue of long-term 
electronic signatures. It has defined a standard way for incorporating 
time-stamps to XML signatures. In addition to the signature time-stamp, 
which should be generated soon after the generation of the signature, 
other time-stamps may be added to the signature structure protecting the 
validation material used by the verifier. Recurrent time-stamping (with 
stronger algorithms and keys) on all these items, i.e., the signature, 
the validation material and previous time-stamps counters the revocation 
of validation data and weaknesses of cryptographic algorithms and keys. 
RFC 3161 and OASIS DSS time-stamps may be incorporated in XAdES signatures.

OASIS DSS core specifies a XML format for time-stamps based in XML Sig. 
In addition DSS core and profiles allow the generation and verification 
of signatures, time-stamps, and time-stamped signatures by a centralized 
server

The XAdES and DSS Timestamps should not be confused with WSS Timestamps. 
Although they are both called Timestamps, the WSS <Timestamp> is just a 
xsd:dateTime value added by the signer representing the claimed time of 
signing. XAdES and DSS Timestamps are full feldged signatures generated 
by a Time-stamp Authority (TSA) binding together a the digest of what is 
being time-stamped and a dateTime value. TSAs are trusted third parties 
which operate under certain rules on procedures, software and hardware 
–including time accuracy ensurance mechanisms. As such, time-stamps 
generated by well-operating TSAs are trusted time indications which 
prove that what was time-stamped actually existed at the time indicated, 
whereas any time indication inserted by the signatory is not more than a 
claim made by the generator of the signature."

Received on Tuesday, 17 June 2008 12:52:08 UTC