Re: Fw: Re:Call for Review: XML Digital Signature is a W3C Proposed Recommendation from Tom Gindin on 2001-10-02 (w3c-ietf-xmldsig@w3.org from October to December 2001)

From: Tom Gindin <tgindin@us.ibm.com>
Date: Tue, 2 Oct 2001 07:54:49 -0400
To: TAMURA Kent <kent@trl.ibm.co.jp>
Cc: harada@prs.cs.fujitsu.co.jp, w3c-ietf-xmldsig@w3.org, toriumi@sysrap.cs.fujitsu.co.jp
Message-ID: <OFF57E7A53.70EE10FC-ON85256AD9.00410F9F@pok.ibm.com>

     I don't know if X509CRL's would be useful if attached to a real-time
transaction or not, but they would certainly never be used for
non-repudiation - you want the first one with effective time AFTER the
transaction.  You're quite right that there is no valid reason to use
KeyValue if the key is certified, but somebody might use it if they were
using a trust model similar to the original PGP one.

          Tom Gindin


TAMURA Kent <kent@trl.ibm.co.jp>@w3.org on 10/02/2001 03:59:21 AM

Sent by:  w3c-ietf-xmldsig-request@w3.org


To:   harada@prs.cs.fujitsu.co.jp, w3c-ietf-xmldsig@w3.org,
      toriumi@sysrap.cs.fujitsu.co.jp
cc:
Subject:  Re: Fw: Re:Call for Review: XML Digital Signature is a W3C
      Proposed Recommendation



In message "Fw: Re:Call for Review: XML Digital Signature is a W3C Proposed
Recommendation"
    on 01/09/18, "Harada" <harada@prs.cs.fujitsu.co.jp> writes:
>  In verifying, do you use X509CRLs which is created before verifying?

X.509 CRL has information about "updated date" and "next update
date". So we can assume the CRL attached to a signature is the
latest until "next update date".

In my opinion, we would use neither X509CRL elements nor
KeyValue elements with signatures in practical systems.
X509CRLs with signatures might be old, and we should not trust
key information not in X.509 certificates.  A signature should
have an X.509 certificate or a key name, and verifier retrieve
CRL from a local XKMS service.

--
TAMURA Kent @ Tokyo Research Laboratory, IBM

Received on Tuesday, 2 October 2001 07:56:30 UTC