Russ Housley <housley(_at_)vigilsec(_dot_)com> writes:
The application itself is not ready for release to the IETF, and it may never
be released to the IETF. However, please take a look at draft-housley-cms-
fw-wrap. This has many properties in common with the application that is not
yet ready for release. Basically, a content type is defined, and the use of
CMS to protect that content type is specified. S/MIME is not used, only CMS.
The text currently specifies that a hardware modules adds a
singing-time attributes if it has a clock. Nothing is said
about verification which may be delegated to DPV servers etc.
So the new attribute may even have an impact to such servers.
I don't think that such firmwares have a big problem to create
a current signing time attribute. The amount of code necessary
to do CMS is huge compared with the few lines of conversion.
And, as soon as you have any kind of user interface, you probably
want to parameterize something else than seconds.
As soon as you do anything with certs and not only with trust
annchors, you need logic to convert binary to textual time.
If it's meant for use in fw-wrap, couldn't it just be specified as an extra
attribute in there, along with the other attributes that fw-wrap introduces?
That sounds a good compromise to me.