RE: xmldsig questions

(snip)
David, Barbara, others?

(Barb) X509OCSP: This isn't a big deal to add, but it has the potential to
open a can of snakes that we've carefully tried to avoid, "freshness of
certificates." We don't require certificates in XML signatures. They're
just one form of evidence that MAY be provided by a signer to a verifier.
Attaching an OCSP response could be considered additional evidence. What we
want to avoid tho is our making any implied recommendations about signers
having to get and attach OCSP responses (or certs, for that matter) to
their signed documents. An OCSP response in particular seems pretty silly
since if a verifier wants freshness information about a certificate, he can
get his own OCSP response.

[Tom Gindin]   For non-repudiation, it can be important to preserve
evidence that the signer's certificate was valid at the time of signature,
and an OCSP or SCVP response is perfectly reasonable as a way of preserving
evidence that it was valid at the signing time.  Is there any other reason
to put a CRL in the KeyInfo, since the verifier can get it almost as easily
as he can get an OCSP response?

Received on Tuesday, 21 December 1999 10:40:23 UTC