[Top] [All Lists]

RE: CAdES implementation. Complete Revocation References attribute.

2008-03-06 10:13:42


The first point  is closed now, thanks.


On the second one. I certainly can store a certificate of OCSP-responder in
OCSP response itself, but this response by default is not protected by
CrlOcspRef and hence, existence of this certificate is not protected by
CAdES-C time-stamp or by time-stamped-certs-crls-references attribute. Of
course, I can force OcspResponsesID to include optional ocspRepHash to
protect this certificate, but this way somehow contradicts a remark on
ocspRepHash (cited): Since it may be needed to make the difference between
two OCSP responses received within the same second, then the hash of the
response contained in the OcspResponsesID may be needed to solve the


That said, I want to bring your attention to the other case. Consider a
dedicated CRL issuer implied by policy with its own CRL-issuer-certificate.
Where could I store this certificate and a reference to it? Now there is
only a CRL (or may be ARL) signed by this issuer in my message and I cannot
include its certificate in that CRL. Why don't we just allow any certificate
needed to validate a path (not only CA certificates) to be included in
complete certificate references attribute?


Pavel Smirnov

Tel./Fax: +7 495 780-4820
WWW:  <>
e-mail:  <mailto:spv(_at_)CryptoPro(_dot_)ru> spv(_at_)CryptoPro(_dot_)ru


From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org 
On Behalf Of Pope, Nick
Sent: Wednesday, March 05, 2008 12:27 PM
To: Смирнов Павел Владимирович; Pope, Nick; ietf-smime(_at_)imc(_dot_)org
Cc: 'LISTSERV(_at_)LIST(_dot_)ETSI(_dot_)ORG'
Subject: RE: CAdES implementation. Complete Revocation References attribute.




One your first question, if there is no CRL or OCSP available than the
sequence can be empty.


Peter Rybar's suggestion regarding the second point (repeated below) is


"RFC 2560


4.2.1  ASN.1 Specification of the OCSP Response


BasicOCSPResponse       ::= SEQUENCE {

      tbsResponseData      ResponseData,

      signatureAlgorithm   AlgorithmIdentifier,

      signature            BIT STRING,

      certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }


It means: you must use the OPTIONAL certs for this purpose.

Similar problem is solving with timestamp, where the certs and CRL for
timestamp validation are included in the timestamp and not in the signature
which is timestamped."





-----Original Message-----
From: Pavel V. Smirnov [mailto:spv(_at_)cryptopro(_dot_)ru] 
Sent: 04 March 2008 13:46
To: Nick(_dot_)Pope(_at_)thales-esecurity(_dot_)com; 
Subject: CAdES implementation. Complete Revocation References attribute.


Hello all and personally Nick!


I have a couple new questions regarding CAdES implementation.


Consider section 6.2.2 of ETSI 101 733 v1.7.3 (excerpt):


CompleteRevocationRefs shall contain one CrlOcspRef for the
signing-certificate, followed by one

for each OtherCertID in the CompleteCertificateRefs attribute. The second
and subsequent CrlOcspRef

fields shall be in the same order as the OtherCertID to which they relate.
At least one of CRLListID or

OcspListID or OtherRevRefs should be present for all but the "trusted" CA of
the certificate path.


The first question.

It seems to me that one can include an empty CrlOcspRef (without any
CRLListID or

OcspListID or OtherRevRefs) for a "trusted" CA. Am I right? If one cannot do
like that, then all "trusted" CA certificates have to be placed at the end
of CompleteCertificateRefs SEQUENCE. Which way is right? Or may be both?


The second question.

It's quite clear how to compose this attribute in a simple CRL-only case.
Now, let us use OCSP. Where should one place a certificate of
OCSP-responder? It would be great if one could place a reference to this
certificate in CompleteCertificateRefs (but it is in some way prohibited by
the phrase "It references the full set of CA

certificates that ... " in section 6.2.1). Let us assume that this
certificate is no-check and one does not need to place the corresponding
CrlOcspRef into CompleteRevocationRefs attribute. Then one have to equate
such OCSP-responder certificate to a "trusted" CA and either include an
empty CrlOcspRef in CompleteRevocationRefs or place the certificate at the
end of CompleteCertificateRefs SEQUENCE. How should I solve this?


Pavel Smirnov

Tel./Fax: +7 495 780-4820
WWW:  <>
e-mail:  <mailto:spv(_at_)CryptoPro(_dot_)ru> spv(_at_)CryptoPro(_dot_)ru