- From: <tgindin@us.ibm.com>
- Date: Tue, 21 Dec 1999 10:40:12 -0500
- To: "Barb Fox (Exchange)" <bfox@Exchange.Microsoft.com>
- cc: "'Joseph M. Reagle Jr.'" <reagle@w3.org>, Frederick Hirsch <hirschf@CertCo.com>, w3c-ietf-xmldsig@w3.org, John Boyer <jboyer@uwi.com>, David Solo <david.solo@citicorp.com>
(snip) David, Barbara, others? (Barb) X509OCSP: This isn't a big deal to add, but it has the potential to open a can of snakes that we've carefully tried to avoid, "freshness of certificates." We don't require certificates in XML signatures. They're just one form of evidence that MAY be provided by a signer to a verifier. Attaching an OCSP response could be considered additional evidence. What we want to avoid tho is our making any implied recommendations about signers having to get and attach OCSP responses (or certs, for that matter) to their signed documents. An OCSP response in particular seems pretty silly since if a verifier wants freshness information about a certificate, he can get his own OCSP response. [Tom Gindin] For non-repudiation, it can be important to preserve evidence that the signer's certificate was valid at the time of signature, and an OCSP or SCVP response is perfectly reasonable as a way of preserving evidence that it was valid at the signing time. Is there any other reason to put a CRL in the KeyInfo, since the verifier can get it almost as easily as he can get an OCSP response?
Received on Tuesday, 21 December 1999 10:40:23 UTC