EldoS | Feel safer!

Software components for data protection, secure storage and transfer

OCSP Client connected to ElMessageSigner

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#3205
Posted: 06/25/2007 06:05:55
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Hi,

I've been told to include in a Content Message Syntax (CMS) file the result of the OCSP validation of the certificates attached.

I tried to search in the forums, but nothing. I found this on google: http://www.imc.org/ietf-pkix/old-archive-03/msg00784.html

How can i do it with an ElMessageSigner + ElMemoryCertStorage + ElHTTPOCSPClient + ElHttpsClient?.

I mean, with the response i have from the ElHTTPOCSPClient for each certificate in ElMemoryCertStorage, how to include all that information and how to the ElMessageSigner?

Many thanks
#3206
Posted: 06/25/2007 06:27:04
by Ken Ivanov (EldoS Corp.)

Most likely, you should include the OCSP attribute (either authenticated or non-authenticated) to the file being signed. Please see the corresponding properties of TElMessageSigner class.

The link you've provided seems to make sense. I suggest you to try to add the unauthenticated id-aa-ets-revocationRefs attribute (with OCSP response value) to the signature and ask your customers to check if it suites them. If no, please ask them for more details about the task (such as object identifier and format of the OCSP response).
#3207
Posted: 06/25/2007 06:39:54
by Ken Ivanov (EldoS Corp.)

Just reviewed RFC3126 with regard to CrlOcspRef type. CrlOcspRef structure seems to be a bit more complex than I've expected, so I think it's a good idea to ask your customer if OCSP records he expects are conformant to this specification.

You can also ask them for a sample signature with included OCSP response and send it to us, so that we could review it and point you to the right direction.
#3208
Posted: 06/25/2007 06:47:12
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Quote
Innokentiy Ivanov wrote:
Just reviewed RFC3126 with regard to CrlOcspRef type. CrlOcspRef structure seems to be a bit more complex than I've expected, so I think it's a good idea to ask your customer if OCSP records he expects are conformant to this specification.


Yes, I they always follow the standards.

I'll try to get a file with that kind of signature, but it'll be a long way since it's our government and they're slowwww ;). I'll try to get that rfc working or read about it...

They make that OCSP on a CMS mandatory if a user wants to make long-term signatures. We already give the TSP attributes as you make it quite easy, and we also check for the validity of the certs before signing the files; but we must give an option to make this OCSP appear in the CMS (and also verifying signatures show that information to the users).

Another URL more professional:
http://www.rfc-ref.org/RFC-TEXTS/3126/


Reply

Statistics

Topic viewed 1641 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!