libdigidocpp icon indicating copy to clipboard operation
libdigidocpp copied to clipboard

Published 20 hours ago verified publisher icon open-eid

Manual notes out of date with regards to time stamp and OCSP response times?

Open moll opened this issue 5 years ago • 3 comments

Hey,

Possibly related to https://github.com/open-eid/libdigidocpp/issues/142.

http://open-eid.github.io/libdigidocpp/manual.html#signature-notes states:

When validating a BDOC-TS document then the difference between OCSP validity confirmation's production time (producedAt field) and time-stamp's production time (getTime field) is checked. An exception is thrown if the OCSP confirmation's time is earlier than time-stamp's time.

However BDOC v2.1.2 seems to have removed that requirement as per https://www.id.ee/?id=36110. I haven't checked whether the implementation still checks that or it's just an out-of-date manual. I've got an XAdES implementation soon to be released for https://rahvaalgatus.ee that'll start requesting the time stamp and an OCSP response in parallel and their creation times are likely to be randomly ordered, so if libdigidocpp insists one precedes the other, it'll definitely become an issue.

Cheers

moll avatar Nov 14 '19 14:11 moll

It is still checked and will be more strict #324

metsma avatar Nov 22 '19 10:11 metsma

Gotcha. I posted my follow up question about the reasoning behind the change to #324. I'll be going to visit RIA next week to talk about our two digital signature implementations and their spec compliance and I hope you'll be there, too. ;)

moll avatar Nov 22 '19 15:11 moll

Indeed, the reasons behind each validation rule should have an explanation - at least in the source code if not in the documentation.

More specifically:

"16. When validating a BDOC-TS document then the difference between OCSP validity confirmation's production time (producedAt field) and time-stamp's production time (getTime field) is checked. An exception is thrown if the OCSP confirmation's time is earlier than time-stamp's time. [..]"

This check is required to satisfy the legal requirement that signer's certificate must have been valid at the time of signing (after the time of signing). If outdated revocation information is accepted, the signatory's certificate might as well have been revoked at the time of signing.

"16. [..] If the OCSP confirmation's time is later than time-stamp's time by more than 15 minutes then a warning is returned. [..]"

This check makes no sense. A reason should be described or the check should be removed. In the current version it is not a warning but an error (documentation should be updated).

"16. [..] If the difference is more than 24 hours then exception is thrown."

This check is not present in the current version. The documentation should be updated.

"17. During BDOC signature creation, it is checked that the difference between the signer's computer time and the OCSP response's production time (producedAt value) would not exceed 15 minutes. If the difference exceeds 15 minutes then an exception is returned and signing is cancelled."

This check makes sure that a signature cannot be created if the signatory's computer time is more than 15 minutes off the actual time. Helps the signatory to detect incorrect local time, which in turn increases the credibility of the signatory's computer time reported under the signed metadata.

user8547 avatar Jan 18 '20 07:01 user8547