Open AbrarJahin opened 4 years ago
Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @jeffhandley See info in area-owners.md if you want to be subscribed.
would it make sense to allow user to manually provide timestamp instead? User can take time from the timestamp server or other source themselves. Also we wouldn't couple networking into SignedXml.
It makes sense because all time servers are not allowed in all networks (some secured networks). Currently, time is coming from the local PC which is problematic because local Pc time can be modified easily. If it comes from any TSA, that would be surely better than this if app running in user PC, for the server it doesn't matter most.
If we like to develop an application for some secured networks like national security, in that case, time should come from TSA or any server and all servers are not accessible in all national secured infrastructures. I am trying to develop an app for this type of cases where the government is willing to set up a local TSA for secured networks or intranets.
@krwq , I like to contribute to developing this library for this case as I am actively working in this field and it is an open-source project. Is this possible? If yes, can you please provide me a way how can I contribute? Thanks
@AbrarJahin really nice to hear this! Couple of ways you can help:
make sure that if you find any security bugs to not write about them directly on github and instead to write to secure@microsoft.com (and there might be a bounty for good finds if you go this way 😄)
Request to add Custom TSA for storing signing time during XML Signature Using System.Security.Cryptography.Xml.SignedXml
Hi, I like to sign an XML Document. I am seeing that the signature time is taken from the system time. My concern is if the system time is not accurate, that what would happen? In that case, the time should come from a trusted TSA and the TSA should be customisable. And there should also be a
TSA Url
checker so that we can find from code that if the TSA is reachable from the current network or not. This functionality should be optional because otherwise every time we need to sign a file, the internet should be needed. By default, the time should be taken from the local system, but if a TSA Url is given, then the time should be taken from the TSA.Proposed API
I like to create a signed XML like current way, but like to have a way to add a TSA Url during sign like this-
In this example
reference.TsaUri
is used for signing the document.Usage Examples
Alternative Designs
Risks
The option of setting TSA should be optional, in default case(if no TSA URL is given), then the time can be taken from local PC. Otherwise, completely local situation (where no server is available), signing may not be possible.