Uploaded image for project: 'OASIS Open Document Format for Office Applications (OpenDocument) TC'
  1. OASIS Open Document Format for Office Applications (OpenDocument) TC
  2. OFFICE-2670

4 - digital signatures, certificate chain

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Applied
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: ODF 1.2 Part 3 CD 1
    • Fix Version/s: ODF 1.2 CD 06
    • Component/s: Security
    • Labels:
      None
    • Proposal:
      Hide

      Add a heading 4.3.2 Certificate Chain

      Implementations SHOULD include all the certificates of the ("a" ? "the shortest" ?)
      certificate chain inside a <ds:KeyInfo> element.

      Each certificate SHALL be stored in a separate <ds:X509Certificate> element.

      The <ds:X509Certificate> elements representing the certificates of the chain SHALL
      be ordered within a single <ds:X509Data> element, with the <ds:X509Certificate>
      containing the signing certificate put first.

      The <ds:X509Data> element containing the certifcate chain SHALL be
      stored within a <ds:KeyInfo> element.

      Show
      Add a heading 4.3.2 Certificate Chain Implementations SHOULD include all the certificates of the ("a" ? "the shortest" ?) certificate chain inside a <ds:KeyInfo> element. Each certificate SHALL be stored in a separate <ds:X509Certificate> element. The <ds:X509Certificate> elements representing the certificates of the chain SHALL be ordered within a single <ds:X509Data> element, with the <ds:X509Certificate> containing the signing certificate put first. The <ds:X509Data> element containing the certifcate chain SHALL be stored within a <ds:KeyInfo> element.

      Description

      See mailing list on whether or not to include certificate chain

      http://lists.oasis-open.org/archives/office/201005/msg00081.html

      My suggestion would be putting the chain it in ds:KeyInfo, with the signing certificate
      first (not required per spec, but expected by many implementations)

      XAdES says this about CertificateValues:

      "... CertificateValues element contains the full set of certificates that have been used
      to validate the electronic signature, including the signer's certificate. However, it is
      not necessary to include one of those certificates into this property, if the certificate
      is already present in the ds:KeyInfo element of the signature.

      If CompleteCertificateRefs and CertificateValues are present, all the certificates
      referenced in CompleteCertificateRefs MUST be present either in the ds:KeyInfo
      element of the signature or in the CertificateValues property element."

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              bart.hanssens Bart Hanssens (Inactive)
            • Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: