On 03/11/2013 11:17 PM, [email protected] wrote:
That is what we talk about here.
Try to check previous posts in this thread.
rfc 3126 tells
This document mandates the presence of this attribute as a signed CMS
attribute, and the sequence must not be empty. The certificate used
to verify the signature must be identified in the sequence, the
Signature Validation Policy may mandate other certificate references
to be present, that may include all the certificates up to the point
of trust. The encoding of the ESSCertID for this certificate must
include the issuerSerial field.
RFC 5035 says
If more than one certificate is present, subsequent certificates
limit the set of certificates that are used during validation.
Certificates can be either attribute certificates (limiting
authorizations) or public key certificates (limiting path
validation). The issuerSerial field (in the ESSCertIDv2
structure) SHOULD be present for these certificates, unless the
client who is validating the signature is expected to have easy
access to all the certificates required for validation. If only
the signing certificate is present in the sequence, there are no
restrictions on the set of certificates used in validating the
signature.
The time stamp does not include issuerSerial in the second esscertid.
There is no specification of any profile of time stamps that
indicates that a client MUST support attribute certs.
I do not think that the authors of 3161, 3126 has in mind any
support of attribute certs. I don't recall any profile requiring
this.
if a timestamp ess would be ok with an attribute cert, what is
the client supposed to do? It can verify the signatures of
the attribute cert up to some trust anchor, but then?
what authorisation is supposed to be checked? that the
tsa is allowed to issue certs for a particular policy? (don't
yes, maybe).
if the TSKlient is able to do something non stadardized special
verification, use that one.
Peter
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
