[Top] [All Lists]

Re: CAdES implementation. Complete Revocation References attribute.

2008-03-13 11:54:55


comments inline,

Pavel V. Smirnov wrote:
Nick and other,

2) On the second point I have a concern of a marked text (time-stamping authorities). The paragraph closing 6.2.1 says:

This attribute MAY include references to the certification chain for any TSUs that provides time-stamp tokens. In this

case the unsigned attribute shall be added to the signedData of the relevant times tamp token as an unsignedAttrs in

the signerInfos field.
It seems that this is a direct contradiction. All other is perfect to me.

I agree that the timestamping certificate does not seem to fit in here. This attribute is (as far as I understand) meant to include all the certificate references needed to validate a chain, but the EE reference.

Should this attribute be added to timestamp token as suggested, the EE certificate (e.g. the timestamping one in that case) would be referenced in the signing certificate attribute, and the attribute would only contain CA certificates, OCSP responder certificates and Indirect CRL issuer certificates, as in the previous case.

3) On the third point. It seems reasonable not to enforce one-to-one relationship, but I think it is too late to change because it could break existing implementations. Or maybe we can introduce a new CompleteRevocationRefs attribute with other OID and declare the old one deprecated but supported for backward compatibility?..

I agree that it could theoretically break some verification implementations. However, authorizing empty references can also break the implementations that are checking the mapping. Also, I fail to see any simple way to take advantage of the mapping, so I assume that most implementations will

1) Retrieve all the revocation material in a unordered bag
2) Proceeed with X509 validation
3) Optionally, verify the one-to-one relationship

That is what we originally wanted to do. Now, because of the other issue of empty references that you mentioned earlier (OCSP response with the no-check extension), even checking the one-to-one mapping is not clearly defined, as different implementations may either skip one entry or put an empty one in that case.

Instead of declaring invalid a perfect signature because some arbitrary mapping is not respected, we decided to remove the mapping check all together.

During a plugtest on CAdES, I enquired about this issue and I turned out that other implementations that faced the same issue would simply not verify the one-to-one mapping.

That about it for my 2 cents...



Pavel Smirnov

Tel./Fax: +7 495 780-4820
WWW: <>
e-mail: spv(_at_)CryptoPro(_dot_)ru <mailto:spv(_at_)CryptoPro(_dot_)ru>

*From:* Pope, Nick [mailto:Nick(_dot_)Pope(_at_)thales-esecurity(_dot_)com]
*Sent:* Thursday, March 13, 2008 11:33 AM
*To:* Смирнов Павел Владимирович; ietf-smime(_at_)imc(_dot_)org; 
*Cc:* Julien Stern
*Subject:* RE: CAdES implementation. Complete Revocation References attribute.


Apologies for not getting back earlier. I was at an ETSI meeting where I had a chance to briefly discuss this issue with colleagues including Julien Stern who had raised the same issue earlier.

I would like to ensure that we have agreement on the best approach and include the necessary change in TS 101 733 (post 1.7.4). Unfortunately it is too late to update RFC 5126 but I hope we can find an approach that does not break existing implementations.

1) On the first point (there being no revocation information for a given CA certificate) for the record I suggest there should be a clarification in 6.2.2 of TS 101 733:

/"The CrlOcspRef may contain an empty SEQUENCE if there is no revocation information for a certificate."/

2) On the second point I also propose that in 6.2.1:

/Change "CA certificates that have been used to validate ..." to "CA and any other certificates (e.g. certificates of CRL issuers, OCSP responders, ??? time-stamping authorities) that have been used to validate ..."/

3) There is an further point that has been raised whether in 6.2.2 there should be a direct one to one relationship between the revocation information in 6.2.2 and the certificates in 6.2.1.

Views are sought from ETSI ESI and IETF experts on the proposed changes and the third point.


-----Original Message-----
*From:* Pavel V. Smirnov [mailto:spv(_at_)cryptopro(_dot_)ru]
*Sent:* 06 March 2008 16:47
*To:* 'Pope, Nick'; ietf-smime(_at_)imc(_dot_)org
*Cc:* LISTSERV(_at_)LIST(_dot_)ETSI(_dot_)ORG
*Subject:* RE: CAdES implementation. Complete Revocation References attribute.


The first point  is closed now, thanks.

On the second one. I certainly can store a certificate of OCSP-responder in OCSP response itself, but this response by default is not protected by CrlOcspRef and hence, existence of this certificate is not protected by CAdES-C time-stamp or by time-stamped-certs-crls-references attribute. Of course, I can force OcspResponsesID to include optional ocspRepHash to protect this certificate, but this way somehow contradicts a remark on ocspRepHash (cited): Since it may be needed to make the difference between two OCSP responses received within the same second, then the hash of the response contained in the OcspResponsesID may be needed to solve the ambiguity.

That said, I want to bring your attention to the other case. Consider a dedicated CRL issuer implied by policy with its own CRL-issuer-certificate. Where could I store this certificate and a reference to it? Now there is only a CRL (or may be ARL) signed by this issuer in my message and I cannot include its certificate in that CRL. Why don't we just allow _any certificate needed to validate a path_ (not only CA certificates) to be included in complete certificate references attribute?

Pavel Smirnov

Tel./Fax: +7 495 780-4820
WWW: <>
e-mail: spv(_at_)CryptoPro(_dot_)ru <mailto:spv(_at_)CryptoPro(_dot_)ru>

*From:* owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org [mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] *On Behalf Of *Pope, Nick
*Sent:* Wednesday, March 05, 2008 12:27 PM
*To:* Смирнов Павел Владимирович; Pope, Nick; ietf-smime(_at_)imc(_dot_)org
*Cc:* 'LISTSERV(_at_)LIST(_dot_)ETSI(_dot_)ORG'
*Subject:* RE: CAdES implementation. Complete Revocation References attribute.


One your first question, if there is no CRL or OCSP available than the sequence can be empty.

Peter Rybar's suggestion regarding the second point (repeated below) is fine.

"RFC 2560

4.2.1  ASN.1 Specification of the OCSP Response

BasicOCSPResponse       ::= SEQUENCE {

      tbsResponseData      ResponseData,

      signatureAlgorithm   AlgorithmIdentifier,

      signature            BIT STRING,

      certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }

It means: you must use the OPTIONAL certs for this purpose.

Similar problem is solving with timestamp, where the certs and CRL for timestamp validation are included in the timestamp and not in the signature which is timestamped."


-----Original Message-----
*From:* Pavel V. Smirnov [mailto:spv(_at_)cryptopro(_dot_)ru]
*Sent:* 04 March 2008 13:46
*To:* Nick(_dot_)Pope(_at_)thales-esecurity(_dot_)com; 
*Subject:* CAdES implementation. Complete Revocation References attribute.

Hello all and personally Nick!

I have a couple new questions regarding CAdES implementation.

Consider section 6.2.2 of ETSI 101 733 v1.7.3 (excerpt):

CompleteRevocationRefs shall contain one CrlOcspRef for the signing-certificate, followed by one

for each OtherCertID in the CompleteCertificateRefs attribute. The second and subsequent CrlOcspRef

fields shall be in the same order as the OtherCertID to which they relate. At least one of CRLListID or

OcspListID or OtherRevRefs should be present for all but the "trusted" CA of the certificate path.

The first question.

It seems to me that one can include an empty CrlOcspRef (without any CRLListID or

OcspListID or OtherRevRefs) for a "trusted" CA. Am I right? If one cannot do like that, then all "trusted" CA certificates have to be placed at the end of CompleteCertificateRefs SEQUENCE. Which way is right? Or may be both?

The second question.

It's quite clear how to compose this attribute in a simple CRL-only case. Now, let us use OCSP. Where should one place a certificate of OCSP-responder? It would be great if one could place a reference to this certificate in CompleteCertificateRefs (but it is in some way prohibited by the phrase "It references the full set of _CA_

certificates that ... " in section 6.2.1). Let us assume that this certificate is no-check and one does not need to place the corresponding CrlOcspRef into CompleteRevocationRefs attribute. Then one have to equate such OCSP-responder certificate to a "trusted" CA and either include an empty CrlOcspRef in CompleteRevocationRefs or place the certificate at the end of CompleteCertificateRefs SEQUENCE. How should I solve this?

Pavel Smirnov

Tel./Fax: +7 495 780-4820
WWW: <>
e-mail: spv(_at_)CryptoPro(_dot_)ru <mailto:spv(_at_)CryptoPro(_dot_)ru>

*/_Consider the environment before printing this mail._/*

*/"Thales e-Security Limited is incorporated in England and Wales with company registration number 2518805. Its registered office is located at 2 Dashwood Lang Road, The Bourne Business Park, Addlestone, Nr. Weybridge, Surrey KT15 2NX./*

*/The information contained in this e-mail is confidential. It may also be privileged. It is only intended for the stated addressee(s) and access to it by any other person is unauthorised. If you are not an addressee or the intended addressee, you must not disclose, copy, circulate or in any other way use or rely on the information contained in this e-mail. Such unauthorised use may be unlawful. If you have received this e-mail in error please delete it (and all copies) from your system, please also inform us immediately on +44 (0)1844 201800 or email postmaster(_at_)thales-esecurity(_dot_)com(_dot_) Commercial matters detailed or referred to in this e-mail are subject to a written contract signed for and on behalf of Thales e-Security Limited"./*