[Smcwg-public] Some more thoughts on s/mime requirement sets

[Doug Beattie]

I wish... that emails I received with valid signatures didn't become invalid
when the sender's certificate expired.  It's a warning that's necessary upon
first receipt of the email (the date/time when the signature was created),
but not necessary thereafter. It's difficult to dig into the cause of the
error and then I get accustom to seeing warnings (which defeats the value of
signed emails).

Can we think about introducing the concept of Long-Term Signature Validation
(LTV) signatures like Adobe where there is an embedded timestamp that helps
convey a more positive signature status?  I know this is a bit "out there"
and not likely to be included into an early version of the spec, but can we
add this to the longer term roadmap of things to discuss?

As far as validity of the certificates: One of the important points in the
reduction of the validity is to re-confirm the users identity on a more
regular basis.  This can be done by re-signing the same keys and issuing a
new cert and does not increase the number of keys you need to manage or
certs you need to store (which might address the Token discussions).
Regular re-validation should be easy and automated.  If we can overcome the
issues with displaying invalid signatures for expired certificates (above)
then there's little reason these can't be replaced more frequently than most
customers do today (especially for service providers and large enterprises
which can automate the process entirely).


Doug

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5688 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20200820/af406d62/attachment.p7s>