OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: AW: [dss-x] Question on individual verification report

Hallo Juan Carlos,

thanks for your mail. As far as I understand the problem, it is not
a real issue, because if a verification report segment for a specific 
certificate would appear a second time it could of course be 
omitted by dropping the corresponding PathValidityDetail-element. 
I think that this approach (including the PathValiditySummary and 
CertificateIdentifier, but dropping the PathValidtyDetail) would be 
preferable from an evidence/audit point of view compared to the
option to drop the entire CertificatePathValidity-element.

Nevertheless we may discuss, whether we should in addition provide some sort
of IDRef, which unambigiously points to the corresponding
of the first occurance. 

What do you think?


> -----Ursprüngliche Nachricht-----
> Von: Juan Carlos Cruellas [mailto:cruellas@ac.upc.edu]
> Gesendet: Montag, 14. Februar 2011 17:55
> An: dss-x
> Betreff: [dss-x] Question on individual verification report
> Detlef,
> While identifying test cases for this profile, I came to a point where I
> some doubt...imagine the following situation:
> One simple signature to be verified. The signature does not contain signed
> unsigned properties (no time-stamps, no attribute certificates, etc.).
> The CAs hierarchy is direct: RootCAOK -> CAAOK -> CABOK -> signing
> certificate.
> Now the individual report contains the DetailedSignatureReport element,
> with a CertificatePathValidity child. This one contains
PathValidityDetail. This
> one contains several CertificateValidity children. Each
> element contains a Certificate Status, and this one may contain
> RevocationInfo (optional).
> Well, imagine that the status of all the certificates is checked using
CRL, this
> RevocationInfo would contain an CRLValidity element....
> BUT...this CRLValidity element, has a mandatory CertificatePathValidity
> element, with all the aforementioned elements...
> Well, the issue is that in the CRL is issued by one of the CAs in the
chain, and
> likely signed with the same certificate as the one used in the signing
> path...so its certificatePathValidity element would contain redundant
> information!!. Would not this justify to make these elements
> CertificatePathValidity optional?
> Regards
> Juan Carlos.
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-
> open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]