- From: Ed Simon <edsimon@xmlsec.com>
- Date: Fri, 28 Jun 2002 11:07:40 -0400
- To: <stef.hoeben@utimaco.be>
- Cc: <www-xkms@w3.org>
Stef wrote:
> But in order to check the validity of an entire cert chain
> some time in the past, the same procedure should be repeated
> for each cert in the chain, isn't it? (As opposed to e.g. adding
> an optional "ValidationTime" in the Validate request, this
> would allow cert chain validation with 1 single request).
>
> (I got the idea from PKIX drafts such as CVP, SCVP and RFC3029).
>
> If these things shouldn't be discussed on this list, pls. let me know.
The XKMS spec says "The <ValidityInterval> element specifies limits on the
validity of the assertion.". Note that it says "assertion", not "key" or
"certificate". As I understand it, it is up to the service provider to how
the ValidityInterval bounds are determined, if at all, from the data in a
certificate or certificate chain. Ultimately, the client is trusting the
XKMS service, not the key info, in whatever form, it is sending to the XKMS
service. I notice the <KeyBindingType> has an "<any>" element attached to
it so I'm not sure if this was intended as a place where services could
attach non-core information like what you are looking for...maybe Phill can
clarify.
BTW, earlier I quoted this paragraph from the spec:
"If the Reason code ValidityInterval is returned with a Status code of
Invalid additional information MAY be provided in the <ValidityInterval>
element of the KeyBinding. If only the NotOnOrAfter attribute is specified
it indicates that the specified time instant is before the credential became
valid. If only the NotAfter attribute is specified it indicates that either
the credential expired or was revoked. If both the NotOnOrAfter and NotAfter
attributes are specified it is likely that the credential was suspended and
MAY be reinstated at a later time."
I guess there is a typo in the spec because I think "NotAfter" should really
read as "NotBefore" in the above.
Ed
----------------------------------------------------------------------------
-------------------------------------------
Ed Simon
<edsimon@xmlsec.com>
(613) 726-9645
XMLsec Inc.
Interested in XML Security Training and Consulting services? Visit
"www.xmlsec.com".
----- Original Message -----
From: <stef.hoeben@utimaco.be>
To: "Ed Simon" <edsimon@xmlsec.com>
Cc: <www-xkms@w3.org>
Sent: Friday, June 28, 2002 9:26 AM
Subject: Re: Validation of signatures?
>
>
> >> Could you tell me is it ("checking if a cert is valid some
> >> > time ago"-ed.) is possible to do the above using
> >> the current XKMS 'Validate) service(s)?
> >
> >Yes, I would say it is. You can use the Validate service for the
> >certificate in question and the Validate service can choose to return a
> >status code of Invalid with a <ValidityInterval> element indicating the
> >certificate has already expired and when that happened.
>
> OK, I see, thanks!
>
> But in order to check the validity of an entire cert chain
> some time in the past, the same procedure should be repeated
> for each cert in the chain, isn't it? (As opposed to e.g. adding
> an optional "ValidationTime" in the Validate request, this
> would allow cert chain validation with 1 single request).
>
> (I got the idea from PKIX drafts such as CVP, SCVP and RFC3029).
>
> If these things shouldn't be discussed on this list, pls. let me know.
>
> Stef
>
>
>
Received on Friday, 28 June 2002 11:04:28 UTC