I agree with Denis that some reference should be made about the
consequences of not having a trusted signingTime. The consequences of
this for nonrepudiation are very serious.
Since an attacker (or a malicious original signer) could set an
arbitrary signingTime with a compromised key this (in the absence of
suitable corroboration of a "signed before time" and revocation status
at or after that time) WOULD INVALIDATE THE SIGNATURE OF EVERY MESSAGE
EVER SIGNED BY THE COMPROMISED KEY.
Even real time applications are not totally immune. It all depends on
the granularity of the revocation process. There is still a CA dependent
"window" where an attack could take place. There is also the possibility
that a CA will permit a user to specify that their key was compromised
some time in the past.
In addition some applications need to demonstrate the validity of a
signature after the signing certificate chain has expired. A CA may not
make revocation information available (or even destroy it) a
considerable time after certificate expiry. As a result a CRL or
equivalent must be kept in such cases. To remove any possibility of
attack it must be able to demonstrate that the signer's certificate was
valid ON OR AFTER THE TIME OF THE TRUSTED TIMESTAMP.
Steve.
--
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant.
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson(_at_)drh-consultancy(_dot_)demon(_dot_)co(_dot_)uk
PGP key: via homepage.