[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: when can an entry not appear on a CRL?

To: Juergen.Walter@xxxxxx
Subject: Re: when can an entry not appear on a CRL?
From: Paul Koning <pkoning@xxxxxxxxx>
Date: Wed, 16 Dec 1998 14:49:08 -0500
Cc: ietf-pkix@xxxxxxx
References: <><><><>
Sender: owner-ietf-pkix@xxxxxxx

>>>>> "Juergen" == Juergen Walter <walter@deh.de> writes:

 Juergen> Paul Koning wrote:
 >> On a related issue, if you use "time of signature generation" how
 >> do you know what that is?  It can't just be the timestamp in the
 >> signature, since that would allow the thief of a key which was
 >> revoked at time T to generate a "valid" signature by constructing
 >> one with signing time T-epsilon.

 Juergen> This is right under the assumption that the thief can sign
 Juergen> with signing time T-epsilon. If the signer has included an
 Juergen> appropriate non-repudiation token (e. g. a token generated
 Juergen> by a trusted time stamp server), then this attack fails.

Not quite.  It fails if the verifier insists that all signatures it
verifies must be accompanied by a trusted time stamp token if they are 
to be verified to a time older than the time of verification.

The fact that the legitimate signer includes tokens doesn't prevent
the intruder from generating signatures without tokens unless the
verifier insists on them.

	paul

Follow-Ups:
- Re: when can an entry not appear on a CRL?
  - From: Juergen Walter

References:
- when can an entry not appear on a CRL?
  - From: Mary_Ellen_Zurko
- Re: when can an entry not appear on a CRL?
  - From: Juergen Walter
- Re: when can an entry not appear on a CRL?
  - From: Paul Koning
- Re: when can an entry not appear on a CRL?
  - From: Juergen Walter

Prev by Date: Re: when can an entry not appear on a CRL?
Next by Date: Cash or charge? (Was: Re: Invalidity Dates)
Previous by thread: Re: when can an entry not appear on a CRL?
Next by thread: Re: when can an entry not appear on a CRL?
Index(es):
- Date
- Thread