Hello all and personally Nick!
I have a couple new questions regarding CAdES implementation.
Consider section 6.2.2 of ETSI 101 733 v1.7.3 (excerpt):
CompleteRevocationRefs shall contain one CrlOcspRef for the
signing-certificate, followed by one
for each OtherCertID in the CompleteCertificateRefs attribute. The second
and subsequent CrlOcspRef
fields shall be in the same order as the OtherCertID to which they relate.
At least one of CRLListID or
OcspListID or OtherRevRefs should be present for all but the "trusted" CA of
the certificate path.
The first question.
It seems to me that one can include an empty CrlOcspRef (without any
OcspListID or OtherRevRefs) for a "trusted" CA. Am I right? If one cannot do
like that, then all "trusted" CA certificates have to be placed at the end
of CompleteCertificateRefs SEQUENCE. Which way is right? Or may be both?
The second question.
It's quite clear how to compose this attribute in a simple CRL-only case.
Now, let us use OCSP. Where should one place a certificate of
OCSP-responder? It would be great if one could place a reference to this
certificate in CompleteCertificateRefs (but it is in some way prohibited by
the phrase "It references the full set of CA
certificates that : " in section 6.2.1). Let us assume that this certificate
is no-check and one does not need to place the corresponding CrlOcspRef into
CompleteRevocationRefs attribute. Then one have to equate such
OCSP-responder certificate to a "trusted" CA and either include an empty
CrlOcspRef in CompleteRevocationRefs or place the certificate at the end of
CompleteCertificateRefs SEQUENCE. How should I solve this?
Tel./Fax: +7 495 780-4820
WWW: <http://www.cryptopro.ru/> http://www.CryptoPro.ru
e-mail: <mailto:spv(_at_)CryptoPro(_dot_)ru> spv(_at_)CryptoPro(_dot_)ru