RE: xmldsig questions from tgindin@us.ibm.com on 1999-12-21 (w3c-ietf-xmldsig@w3.org from October to December 1999)

From: <tgindin@us.ibm.com>
Date: Tue, 21 Dec 1999 14:26:42 -0500
To: "Barb Fox (Exchange)" <bfox@Exchange.Microsoft.com>
cc: w3c-ietf-xmldsig@w3.org
Message-ID: <8525684E.006AC689.00@D51MTA05.pok.ibm.com>

"Barb Fox (Exchange)" <bfox@Exchange.Microsoft.com> on 12/21/99 01:47:05 PM

To:   Tom Gindin/Watson/IBM@IBMUS
cc:   w3c-ietf-xmldsig@w3.org
Subject:  RE: xmldsig questions

Tom:

I don't mind pulling CRL out, but it seems like an ASN.1 structure that
some
people might want if they choose to use certificates. Responses to
certificate revocation status requests, as Phill points out, can be XML
formatted messages.

--Barbara Fox

[Tom Gindin]   I'm not arguing for CRL to come out, since I think it's
useful for non-repudiation.  What I was primarily responding to was your
comment that putting an OCSP response in was "pretty silly", because if the
document is being prepared for non-repudiation use having a signing-time
OCSP response serves the same purpose as having a signing-time CRL.  If
your recommendation (and Phill's too) is that status responses placed in a
document be XML formatted, my only problem with that is that excluding the
currently deployed format for such responses might be premature.  Phill, do
you have a syntax for the XML OCSP responses?

-----Original Message-----
From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com]
Sent: Tuesday, December 21, 1999 7:40 AM
To: Barb Fox (Exchange)
Cc: 'Joseph M. Reagle Jr.'; Frederick Hirsch; w3c-ietf-xmldsig@w3.org;
John Boyer; David Solo
Subject: RE: xmldsig questions

(snip)
David, Barbara, others?

(Barb) X509OCSP: This isn't a big deal to add, but it has the potential to
open a can of snakes that we've carefully tried to avoid, "freshness of
certificates." We don't require certificates in XML signatures. They're
just one form of evidence that MAY be provided by a signer to a verifier.
Attaching an OCSP response could be considered additional evidence. What we
want to avoid tho is our making any implied recommendations about signers
having to get and attach OCSP responses (or certs, for that matter) to
their signed documents. An OCSP response in particular seems pretty silly
since if a verifier wants freshness information about a certificate, he can
get his own OCSP response.

[Tom Gindin]   For non-repudiation, it can be important to preserve
evidence that the signer's certificate was valid at the time of signature,
and an OCSP or SCVP response is perfectly reasonable as a way of preserving
evidence that it was valid at the signing time.  Is there any other reason
to put a CRL in the KeyInfo, since the verifier can get it almost as easily
as he can get an OCSP response?

Received on Tuesday, 21 December 1999 14:26:36 UTC