Certs by a revoked key
Erwan David
erwan@rail.eu.org
Sun Feb 23 13:04:01 2003
Le Sun 23/02/2003, Jan Niehusmann disait
> On Fri, Feb 21, 2003 at 07:21:51AM -0500, David Shaw wrote:
> > No, because unless you are talking about a very special use where the
> > sender and receiver have rigidly controlled clocks and nobody else can
> > participate, there is no way to tell whether the "old signatures"
> > predate the revocation or not.
>
> But that's exactly what I said: Because we don't know if a signature was
> made before or after the revocation, we should assume all signatures
> from made with a revoked key as invalid. Or at least give a big
> warning. And for certs, we should not use them in trust calculation.
so that's a poin in which S/MIME pkcs#7 are better, since signature
contains a (signed) signing time...
--
Erwan