-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extending signature to XAdES-A form fails #62
Comments
Original comment by Attachments:
|
Original comment by |
Original comment by Attachments:
|
Original comment by Attachments:
|
Original comment by Attachments: |
Original comment by Attachments: |
fyi: while I ( |
Thanks @tomato42! Actually, can you try to recap the use-cases you had back then?
Thanks. |
we started with XAdES-T (really XAdES-BES, but the timestamp was being added right away, still on the user's workstation, before document ingestion by the document management system)
the plan was to add a second timestamp quite quickly (within 24h) to protect against CA compromise and keep at least 2 independent timestamps valid at any one time
no, and it's not possible – Polish law allows the qualified CAs up to a week (IIRC, don't quote me on that, it was 5 years ago I last read it :) to publish up to date CRL data, so to create XAdES-X we have to wait multiple days after creation of XAdES-C, only after that grace period elapses, the document can be timestamped in a XAdES-X document. in other words: the CRL/OCSP is not considered valid until it was published at least a week (IIRC) after the signature was created (according to the timestamp) it is to protect against a situation in which the HSM is stolen and quickly used to create (technically) forged documents, and CA includes the the key-compromise date in the CRL (but at the same time, the CA doesn't have a requirement to keep the information about certificate revocation after the signing certificate would expire naturally so the CRL can't be too old either) (yes, it's quite complex, I hope I made myself clear... 😕 ) I don't know what was the actual period after which the XAdES-A was being created after that, I wasn't working on the deployment. But given that the system was designed with qualified signatures in mind and the qualified timestamps aren't exactly cheap, all the timestamping definitely was being stretched as much as possible (so you can expect that a second timestamp from the same CA wouldn't be used earlier than 1-2 months before the old one was scheduled to expire).
we didn't have at the time, but I don't know if it didn't change – the signatures were on data-exchange documents so requiring them to be verifiable by other tools wouldn't be too out of place... |
Thanks for the feedback @tomato42! |
Original issue reported on code.google.com by
hubert.k...@gmail.com
on 16 Dec 2012 at 9:22Attachments:
The text was updated successfully, but these errors were encountered: