[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Verifying signatures fordocuments signed looong time back..

To: "Jayant Sane" <jayant@xxxxxxxxxxxxxxxx>, "IETF-PKIX" <ietf-pkix@xxxxxxx>
Subject: RE: Verifying signatures fordocuments signed looong time back..
From: "Dwight Arthur" <dwightarthur@xxxxxxxxxxxxxx>
Date: Fri, 14 Aug 1998 09:41:44 -0400
Importance: Normal
In-reply-to: <>
Sender: owner-ietf-pkix@xxxxxxx

Some thoughts:

1. Certificate repositories used for this purpose must maintain as-of
information: "was this certificate valid as of 12/3/97?"

2. Must deal with the possibility that today's strongest available
encryption strength becomes child's play to forge at some point during the
life of the document.

3. Alternative: Do not use PKI for long-after validation of signature.
Instead, post the document to a secure registry, which validates the
signature upon posting. Years later, the registry can deliver an official
copy of the document together with the registry's certification (with a
_new_ signature) that the document's signature was valid when received.

4. Someone on one of these lists also suggested that a doctrine of limited
challenges is necessary: If a signature accepted by a registry as valid is
unchallenged after a specified period, no further challenges are accepted.
--------------------------------------------------
p:(212) 412-8687                     Dwight Arthur
f:(212) 908-2345        Managing Director: Systems
b:(917) 646-6682      National Securities Clearing
dwightarthur@mindspring.com        55 Water Street
http://www.nscc.com        New York, NY 10041-0082

-----Original Message-----
From:	owner-ietf-pkix@imc.org [mailto:owner-ietf-pkix@imc.org] On Behalf Of
Jayant Sane
Sent:	Wednesday, August 12, 1998 6:37 PM
To:	PKIXDiscuss
Subject:	Verifying signatures fordocuments signed looong time back..

Hi,

Forgive me if this issues/question has been discussed in past or is an
improper post for this list. I did not find anything on this topic in the
archive (unless I overlooked something).

How does one "correctly" verify a signature such that the signing
certificate has expired. Basically during the time of verification (anytime
after the signing operation), how does correctly establish that the signing
certificate in consideration was valid then ?

Is it at all feasible (it better be)? If yes, does it call for maintaining
some extra information at the time of signing?

-Jayant

References:
- Verifying signatures fordocuments signed looong time back..
  - From: Jayant Sane

Prev by Date: RE: German Key Usage
Next by Date: Re: x.509 v3 Certificates and Compatbility
Previous by thread: Verifying signatures fordocuments signed looong time back..
Next by thread: Certificate expirations...
Index(es):
- Date
- Thread