July 30, 2010 1300-1400 IETF 78 – Maastricht T. Gondrom S. Fischer-Dieskau. draft-ietf-ltans-validate-03. draft-ietf-ltans-validate-03. Informational
An Image/Link below is provided (as is) to download presentation
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Describes verification data that should be integrated into signatures/timestamps, when they should be acquired and how to include them in the archived structures to ensure long-term verification of signatures (recommendations)
Types of trust centers (fully trusted - partially trusted)
Explain Layer model vs. chain model
Algs in all certs are still secure: mandatory
No cert has been revoked: mandatory
Certs in chain to root are all not expired: ?? (the first must obviously be valid, but does expiry of higher certs impact validity of lower cert signatures?)
List of verification data
certificates of all
parties involved in the issuance of the time stamp certificate,
Certificate Revocation Lists (CRLs) and/or OCSP responses are needed.
List of verification data:
Cert of signature/timestamp
For protected signatures: All certs up to root
For used timestamps: all certs up to root
OCSP or CRLs (technical implications of using CRL on retrieval due to “gray time” until revocation)
Fully trusted TSAs can ensure out-of-band communication of breaches (public interest) and thus allow to ommit OCSP/CRL and be sufficient with only full Cert chain.
Course of action:
Integrate document into ari?
Get cross review of PKIX?
(posted to their mailing-list but so far no answer)