[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Who can be a Time Stamping Authority?

To: Denis.Pinkas@xxxxxxxx
Subject: Who can be a Time Stamping Authority?
From: FRousseau@xxxxxxxxxxxxxxxxx
Date: Tue, 9 May 2000 14:04:14 -0400
Cc: ietf-pkix@xxxxxxx

Salut Denis,

At paragraph 10 of Section 2.1 of the TSA Draft, it is mentioned that "a TSA
is REQUIRED to sign each time stamp token using a key generated exclusively
for this purpose and have this property of the key indicated on the
corresponding certificate".

This specific requirement explicitly excludes CAs that would want to offer a
time stamping service using the same key that they commonly used to sign
certificates and/or certificate status information (i.e. CRL or OCSP), which
is fine with me.

This then leave two cases that I think you should describe in the TSA draft:

a.  a TSA with a self signed certificate whose public key is trusted by the
requester; or

b.  a CA designated TSA who holds a specially marked certificate issued
directly by the CA, indicating that the TSA may be trusted to issue time
stamping tokens.

In the first case, each requester must obtain the TSA self signed
certificate by some (out-of-band) authenticated process, which would be
outside the scope of this TSA document.  Because it is mentioned in Section
2.2 of the TSA Draft that the requesting entity SHALL verify the validity of
the digital signature of the TimeStampToken, it is not clear how the
requester could verify the validity of the TSA self signed certificate as
part of validating the digital signature of the TimeStampToken.  This would
probably be a good reason for a TSA self signed certificate to contain an
Authority Information Access extension [RFC2459] as suggested by Michael
Zolotarev, which could indicate how to access the on-line validation
services for the TSA certificate.  Otherwise, the TSA self signed
certificate should probably contain a CRL distribution points extension to
indicate where to find the status of the TSA certificate.

In the second case, the TSA certificate should contain an extension, which
would indicate that this TSA may issue time stamping tokens within that CA
realm.  Since RFC2459 is currently being revised and as suggested by Michael
Zolotarev, the Authority Information Access extension does not seem
appropriate for this particular purpose, I would suggest that a new private
Internet extension should probably be added in RFC2459 to achieve this
requirement.

Francois
___________________________________
Francois Rousseau
Director of Standards and Conformance
Chrysalis-ITS
1688 Woodward Drive
Ottawa, Ontario, CANADA, K2C 3R7
frousseau@chrysalis-its.com      Tel. (613) 723-5077 Ext. 419
http://www.chrysalis-its.com       Fax. (613) 723-5078

Prev by Date: RE: I-D ACTION:draft-ietf-pkix-time-stamp-07.txt
Next by Date: Re: AC profile - Policy Authority on the Role attribute
Previous by thread: Instant On-Line Credit Reports
Next by thread: RE: Who can be a Time Stamping Authority?
Index(es):
- Date
- Thread