[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AW: [dss-x] Question on individual verification report
Hallo Juan Carlos, thanks for your mail. As far as I understand the problem, it is not a real issue, because if a verification report segment for a specific certificate would appear a second time it could of course be omitted by dropping the corresponding PathValidityDetail-element. I think that this approach (including the PathValiditySummary and CertificateIdentifier, but dropping the PathValidtyDetail) would be preferable from an evidence/audit point of view compared to the option to drop the entire CertificatePathValidity-element. Nevertheless we may discuss, whether we should in addition provide some sort of IDRef, which unambigiously points to the corresponding PathValidityDetail-element of the first occurance. What do you think? BR, Detlef > -----Ursprüngliche Nachricht----- > Von: Juan Carlos Cruellas [mailto:cruellas@ac.upc.edu] > Gesendet: Montag, 14. Februar 2011 17:55 > An: dss-x > Betreff: [dss-x] Question on individual verification report > > Detlef, > > While identifying test cases for this profile, I came to a point where I have > some doubt...imagine the following situation: > > One simple signature to be verified. The signature does not contain signed or > unsigned properties (no time-stamps, no attribute certificates, etc.). > > The CAs hierarchy is direct: RootCAOK -> CAAOK -> CABOK -> signing > certificate. > > Now the individual report contains the DetailedSignatureReport element, > with a CertificatePathValidity child. This one contains PathValidityDetail. This > one contains several CertificateValidity children. Each CertificateValidity > element contains a Certificate Status, and this one may contain > RevocationInfo (optional). > > Well, imagine that the status of all the certificates is checked using CRL, this > RevocationInfo would contain an CRLValidity element.... > > BUT...this CRLValidity element, has a mandatory CertificatePathValidity > element, with all the aforementioned elements... > > Well, the issue is that in the CRL is issued by one of the CAs in the chain, and > likely signed with the same certificate as the one used in the signing cerificate > path...so its certificatePathValidity element would contain redundant > information!!. Would not this justify to make these elements > CertificatePathValidity optional? > > Regards > > Juan Carlos. > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis- > open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]