On Thu, Jan 22, 2004 at 10:44:31AM -0500, Rich Salz wrote: > Why? If I signed something last week, and the certificate was valid > last week, isn't the signature still good? There are some people who > feel differently. It probably all depends on legal and regulatory > context. Is the wet signature on a will still valid when the person > dies? Of course.
I'm glad this has been bought up, as it's confused me for a while. If I am using S/MIME, someone could steal my laptop and I might decide my cert is compromised and have it revoked. Someone (i.e. their MUA) who received a signed e-mail from me a week early should still consider me e-mail valid because even though it's in the CRL - that was timestamped *after* the e-mail was sent. Is that correct? What if my cert happened to expire 1 month later? Would that mean if someone did compromise my cert and sent signed e-mails before it expired (but *after* I added to the CRL), then after it expires, that signed e-mail would appear VALID - as it wouldn't be in the CRL anymore? I mean, wouldn't that be a major failing of PKI? I must be missing something... [e.g are you meant to always renew S/MIME certs - due to this special issue - so that they never expire?] -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
