CadES requires the signing certificate reference. This is not going to change.
You would like to time-stamp non-CAdES signatures. You can certainly do this,
but do not call this CAdES-T.
Placing the reference in the time-stamp token would not provide the same
protection.
Regards,
Denis
Denis Pinkas, denis(_dot_)pinkas(_at_)bull(_dot_)net
2008-05-26
----- Message reçu -----
De : owner-ietf-smime
À : 'Pope,Nick',ESI,ietf-smime
Date : 2008-05-26, 12:50:13
Sujet : Extending CAdES to support usual signature upgrading to CAdES-T and
further
Hello all and personally Nick,
In current CAdES wording a regular signature without at least one signed
attribute (Signing certificate reference) cannot be added with timestamps and
validation data to achieve CAdES-T or more advanced CAdES signature. This need
arises, e.g., in a system with existing regular signatures. There is no chance
to add the required attribute to the already computed signature, but there is a
strong need to add CAdES properties to such signatures.
There is rather simple approach to achieve the same properties without
including signing certificate reference as a signed attribute. Let us include
this reference as an extension in the CAdES-T timestamp (signature timestamp).
To get such timestamp one would need to include this extension in a timestamp
request and a TSA would have to shift this extension to a timestamp token.
Let us define the proposed extension to a timestamp protocol and call the
signature we get a valid CAdES-T signature. More advanced CAdES signature types
turn out from this new CAdES-T perfectly without any modification. What do you
think?
Pavel Smirnov
Crypto-Pro
Tel./Fax: +7 495 780-4820
WWW: http://www.CryptoPro.ru
e-mail: spv(_at_)CryptoPro(_dot_)ru