- From: Joseph Hui <jhui@digisle.net>
- Date: Wed, 24 Apr 2002 10:38:42 -0700
- To: "Srinivas Cheruku" <csri@sonata-software.com>, <www-ws@w3.org>
Srinivas, As far as non-repudiation goes, the receiver should check the "validity" field (or "expiry" as you chose to call it) of the signer's certificate against real time, because timestamps can be faked, say by the signer of an expired/revoked cert. I think of interest to you as an implementer/developer is that using timestamps for the purpose of proving DS ownership (e.g. the signer's private key was not stolen at the time the document was signed) requires the support of a massive infrastructure. Besides, there is always a window between the time when a private key is compromised and the time when the associated certificate is revoked, which an attacker can slip through. You may find the challenge-response approach a far more viable alternative to timestamping for validating whether the message signer/sender is indeed the rightful owner of the cert (which contains or leads you to the public key of the signer). Of course, you still have to check the cert against the CRL (i.e. Certificate Revocation List) and the cert's validity against real time. Note that things get complicated when an XML message contains multiple elements signed by multiple cert holders. That is, the challenge-response approach doesn't scale well for multi-signer messages. Good luck, Joe Hui Exodus, a Cable & Wireless service ======================================== > -----Original Message----- > From: Srinivas Cheruku [mailto:csri@sonata-software.com] > Sent: Tuesday, April 23, 2002 10:07 PM > To: www-ws@w3.org > Cc: Srinivas Cheruku > Subject: Web Services - Non-repudiation > > > Hi, > > I want to implement all the core requirements of security like > Authentication, Authorization, Privacy, Integrity and Non-repudiation. > > From the search on the web, for acheiving Non-repudiation we > can make use of > XML Digital Signatures. > But, i didnot find any information regarding the > timestamping. XML Digital > Signatures can prove the source of origin but how can we take > care of Time > Stamping so that we can prove that the sender as digitally > signed before the > expiry or revoking of his certificate. > > If i am wrong, please guiding me for acheiving non-repudiation in web > services. > > Many Thanks and regards, > Srini > ********************************************************************* > Disclaimer: The information in this e-mail and any attachments is > confidential / privileged. It is intended solely for the addressee or > addressees. If you are not the addressee indicated in this > message, you may > not copy or deliver this message to anyone. In such case, you > should destroy > this message and kindly notify the sender by reply email. > Please advise > immediately if you or your employer does not consent to > Internet email for > messages of this kind. > ********************************************************************* > >
Received on Wednesday, 24 April 2002 13:39:07 UTC