Digital Signatures (was Re: [cti] timestamp proposal for STIX 2.0 RC3)

[Eric Burger <Eric.Burger@georgetown.edu>]

I also do not understand why one would calculate a signature on a transformed document, not the bytes received over the wire. Can someone explain this to me?

On Dec 7, 2016, at 1:38 PM, Bret Jordan (CS) <Bret_Jordan@symantec.com> wrote:

"For example, if you send me a date that has pico-seconds and I can only understand micro-seconds and thus drop that precision on the floor, then the digital signatures will FAIL.  “

On Dec 7, 2016, at 5:53 PM, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

This makes no sense to me at all, I would need someone to explain this in more detail. Digital signatures have to be validated based on the received JSON, not based on whatever data format you decided to store in your local database. Remember that most end-recipient folks are going to be taking the JSON, storing it in some other format, and throwing it away... anyone who wants to re-share CTI content (IE a TIP) has to store the raw JSON in some fashion, or else the signature will break. This has nothing to do with timestamps at all.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail