I'd like to suggest that since the PEM/MIME or MOSS folks are
currently incorporating the security-relevant parts of RFC 1422 in
their spec rather than incorporating them by reference, that this
would be a very opportune time to add the requirement for a time
stamp, either in the signature itself or elsewhere, which ever way
works out best architecturally.
Not so, but far otherwise. This is a terrible time to add *any* requirements,
much less ones which are intractable.
Timestamp services are a great service someone can offer (the USPS, NIST, or
any number of other agencies being prime candidates for trusted time
stampers). However, they cannot be reliably generated without such a third
party, and hence I strongly feel that this is outside the scope of MOSS.
I am somewhat dismayed at the prospect that we will yet again get sidetracked
onto an issue that is important but irrelevant to the task at hand.
I don't know about you, but I want to see a MOSS draft before I go off and
talk about new business, such as timestamping, directory services, or whatnot.
We have proven our inability to handle simultaneous tasks. Let's do one thing
at a time.
Amanda Walker
InterCon Systems Corporation