[Top] [All Lists]

RE: CAdES implementation. Complete Revocation References attribute.

2008-03-05 04:09:01


It is easy.


RFC 2560


4.2.1  ASN.1 Specification of the OCSP Response


BasicOCSPResponse       ::= SEQUENCE {

      tbsResponseData      ResponseData,

      signatureAlgorithm   AlgorithmIdentifier,

      signature            BIT STRING,

      certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }


It means: you must use the OPTIONAL certs for this purpose.

Similar problem is solving with timestamp, where the certs and CRL for 
timestamp validation are included in the timestamp and not in the signature 
which is timestamped.







From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Pavel V. 
Sent: Tuesday, March 04, 2008 2:46 PM
To: Nick(_dot_)Pope(_at_)thales-esecurity(_dot_)com; 
Subject: CAdES implementation. Complete Revocation References attribute.


Hello all and personally Nick!


I have a couple new questions regarding CAdES implementation.


Consider section 6.2.2 of ETSI 101 733 v1.7.3 (excerpt):


CompleteRevocationRefs shall contain one CrlOcspRef for the 
signing-certificate, followed by one

for each OtherCertID in the CompleteCertificateRefs attribute. The second and 
subsequent CrlOcspRef

fields shall be in the same order as the OtherCertID to which they relate. At 
least one of CRLListID or

OcspListID or OtherRevRefs should be present for all but the "trusted" CA of 
the certificate path.


The first question.

It seems to me that one can include an empty CrlOcspRef (without any CRLListID 

OcspListID or OtherRevRefs) for a “trusted” CA. Am I right? If one cannot do 
like that, then all “trusted” CA certificates have to be placed at the end of 
CompleteCertificateRefs SEQUENCE. Which way is right? Or may be both?


The second question.

It’s quite clear how to compose this attribute in a simple CRL-only case. Now, 
let us use OCSP. Where should one place a certificate of OCSP-responder? It 
would be great if one could place a reference to this certificate in 
CompleteCertificateRefs (but it is in some way prohibited by the phrase “It 
references the full set of CA

certificates that … ” in section 6.2.1). Let us assume that this certificate is 
no-check and one does not need to place the corresponding CrlOcspRef into 
CompleteRevocationRefs attribute. Then one have to equate such OCSP-responder 
certificate to a “trusted” CA and either include an empty CrlOcspRef in 
CompleteRevocationRefs or place the certificate at the end of 
CompleteCertificateRefs SEQUENCE. How should I solve this?


Pavel Smirnov

Tel./Fax: +7 495 780-4820
WWW:  <>
e-mail:  <mailto:spv(_at_)CryptoPro(_dot_)ru> spv(_at_)CryptoPro(_dot_)ru


<Prev in Thread] Current Thread [Next in Thread>