Warning/Error for signature expirations #678
Assignees
Labels
Comments
|
Comment from the TC (Denny) : "Signatures MUST be valid for at least 30" |
|
As discussed in the CSAF TC monthly meeting on 2024-02-28, this will be added to the guidance documentation for CSAF 2.0. |
tschmidtb51
added a commit
to tschmidtb51/csaf
that referenced
this issue
Apr 23, 2024
- addresses parts of oasis-tcs#678 - add FAQ on signing
tschmidtb51
added a commit
to tschmidtb51/csaf
that referenced
this issue
Apr 23, 2024
- addresses parts of oasis-tcs#678 - provide tool guidance
Merged
|
As discussed in the CSAF TC monthly meeting on 2024-04-24, the wording from #724 will be added to CSAF 2.1. |
tschmidtb51
added a commit
to tschmidtb51/csaf
that referenced
this issue
Apr 24, 2024
- addresses parts of oasis-tcs#678 - add guidance on signing regarding minimum requirement of still valid for 30 days - add tool guidance
Merged
tschmidtb51
added
editor-revision
|
@ctron The comments mailing list is now back online. Please formally announce your suggestion there, e.g. through "Please see our suggest in Github Issue XYZ (https://github.com/oasis-tcs/csaf/issues/XYZ)." Thank you! |
|
The issue was suggested on the mailing list: https://groups.oasis-open.org/discussion/warningerror-for-signature-expirations |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When documents are signed with a key, that key/certificate may expire, making the validation of such signatures problematic.
I believe there should be a grace period in the specification which requires that there is "enough" time left. And while one can argue about the exact number, I think it would make sense to have two requirements in the spec:
The text was updated successfully, but these errors were encountered: