OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Question on individual verification report


While identifying test cases for this profile, I came to a point where I 
have some doubt...imagine the following situation:

One simple signature to be verified. The signature does not contain 
signed or unsigned properties (no time-stamps, no attribute 
certificates, etc.).

The CAs hierarchy is direct: RootCAOK -> CAAOK -> CABOK -> signing 

Now the individual report contains the DetailedSignatureReport element, 
with a CertificatePathValidity child. This one contains 
PathValidityDetail. This one contains several CertificateValidity 
children. Each CertificateValidity element contains a Certificate 
Status, and this one may contain RevocationInfo (optional).

Well, imagine that the status of all the certificates is checked using 
CRL, this RevocationInfo would contain an CRLValidity element....

BUT...this CRLValidity element, has a mandatory CertificatePathValidity 
element, with all the aforementioned elements...

Well, the issue is that in the CRL is issued by one of the CAs in the 
chain, and likely signed with the same certificate as the one used in 
the signing cerificate path...so its certificatePathValidity element 
would contain redundant information!!. Would not this justify to make 
these elements CertificatePathValidity optional?


Juan Carlos.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]