Really think we should not be adding things w/o the proper use case, as we have a ton of nice to have things but we also have no use cases so we have not burdened the group with these
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jim Schaad Sent: Wednesday, October 10, 2012 10:18 AM To: Anthony Nadalin; [email protected] Subject: Re: [jose] Proposal - Create a SignTime Header I do not have a current use case in terms of a specific application. I just note that having a time that things are signed is common practice in many documents that are used today. As such I believe it will be a common attribute on signatures that will be needed in the future. Jim > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Anthony Nadalin > Sent: Tuesday, October 09, 2012 6:40 PM > To: Jim Schaad; [email protected] > Subject: Re: [jose] Proposal - Create a SignTime Header > > What is the use case here? I really hate to bring in time requirements. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Jim Schaad > Sent: Tuesday, October 9, 2012 11:34 AM > To: [email protected] > Subject: [jose] Proposal - Create a SignTime Header > > I propose that we create a header entry that is optional and contains > a time > that the signer claims that they signed at. > > There are two different types of times that can found in signed statements. > The first is going to be a time field associated with the data. This > is the > current approach that is used for the JWT in that part of the claims > about the > token itself is the time that the claims in the token are created. > The second > time field is associated with the signing operation and is a claim not about the > content but about the signature. This is a signing time. The claims > may be > attested to at a different time that the signature was created. > > > Having a signing time is not an important issue for the JWT > specification; however I believe that it will become an issue for > cases where multiple people will be signing a single document. These > signatures may be either made in parallel or serialized but as they > occur at different times knowing a > claimed signing time may be of interest. > > > > Side note - I believe that the nonce question should be dropped until > somebody makes a case for it that is related to signatures and not to > protocols which is where I generally see nonces being used. (That is > for freshness checking or associating multiple documents in a single > dialog.) > > Jim > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > > > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
