are
some questions:
a) the insertion of the TAC in signing certificate is against the RFC 3161?
b) If so, what would be the best place in TST to include the TAC or a
reference to it?
c) What do you think of including the TAC or a reference to it in a non
critical extension of TSTInfo?
Best
.html
Dragan
--
View this message in context:
http://openssl.6102.n7.nabble.com/possible-Bug-in-OpenSSL-rfc-3161-TSA-service-tp43128p44380.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project
:
http://openssl.6102.n7.nabble.com/possible-Bug-in-OpenSSL-rfc-3161-TSA-service-tp43128p44380.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http
this is
Error on creating the signature properties of the timestamp:
verification error
so that means, this is not conforming to RFC 3161 ..., because Adobe
Acrobat does ...
But it could be consequence of using this testing TSA - maybe could help
to add the root certificate of this testing TSA
Zeitstempels:
Verifizierungsfehler
in English this is
Error on creating the signature properties of the timestamp:
verification error
so that means, this is not conforming to RFC 3161 ..., because Adobe
Acrobat does ...
But it could be consequence of using this testing TSA - maybe could
help
Erstellen der Unterschriftseigenschaften des Zeitstempels:
Verifizierungsfehler
in English this is
Error on creating the signature properties of the timestamp:
verification error
so that means, this is not conforming to RFC 3161 ..., because Adobe
Acrobat does ...
But it could be consequence
On 17.03.2013 18:48, kap...@mizera.cz wrote:
be verified - the same as you had ...
OpenSSL and Adobe conform to RFC 3161;
but not this TSA ...
correct, the error message means, that the received timestamp could not
But the discussed TSA postsignum would not exist at all if there would
Dne 17.3.2013 19:08, Walter H. napsal(a):
?= it could be probably problem on yours side.
not really ...
What Adobe product and version are you using ? Maybe too old ?
not newest, but RFC 3161 is old, too
If you use older version of Adobe, it maybe do not support attribute
certificates
Dne 15.3.2013 20:24, Walter H. napsal(a):
are you shure this TSA is working at all?
Of course, it is the One TSA in our coutry.
can you give me for a try userid and pwd, then I may find out where the
bug is;
Unfortunately not, it is official paid service.
But You can make tests on testing
.
This resolves issues when TSAs add attribute certs etc.
Since RFC 3161 does not require a client to check anything
else than the presence of the signer cert (and even is is badly written),
I think the verification of a chain in the ess was not appropriate
logic.
regards
and it must be in the first Esscertid.
This resolves issues when TSAs add attribute certs etc.
Since RFC 3161 does not require a client to check anything
else than the presence of the signer cert (and even is is badly written),
I think the verification of a chain in the ess was not appropriate
logic
Dne 16.3.2013 12:58, Walter H. napsal(a):
Unfortunately not, it is official paid service.
But You can make tests on testing TSA:
http://www.postsignum.cz/testovaci_casova_razitka.html
I don't understand this language; can you tell me the URL of this Test TSA?
Try to use
the signature properties of the timestamp:
verification error
so that means, this is not conforming to RFC 3161 ..., because Adobe
Acrobat does ...
Greetings,
Walter
smime.p7s
Description: S/MIME Cryptographic Signature
On 13.03.2013 01:19, kap...@mizera.cz wrote:
Dne 12.3.2013 20:36, Walter H. napsal(a):
Hello,
I found the following:
http://tsa.postsignum.cz:444
do you have account by this TSA ?
No.
if there is a need to have an account; then this page is not conforming
to any RFC - HTTP 400 is not an
have weakend the Esscertid logic a bit. Only the signer certficate is
checked and it must be in the first Esscertid.
This resolves issues when TSAs add attribute certs etc.
Since RFC 3161 does not require a client to check anything
else than the presence of the signer cert (and even is is badly
On 03/11/2013 11:17 PM, kap...@mizera.cz wrote:
That is what we talk about here.
Try to check previous posts in this thread.
rfc 3126 tells
This document mandates the presence of this attribute as a signed CMS
attribute, and the sequence must not be empty. The certificate used
to
On 03/12/2013 09:30 AM, kap...@mizera.cz wrote:
RFC 3161 is written badly. The whole text was a joke anyway.
The requester SHALL verify that the
TimeStampToken contains the correct certificate identifier of the TSA
One may conclude that openssl should simply not validate anything
Dne 12.3.2013 11:54, Peter Sylvester napsal(a):
On 03/12/2013 09:30 AM, kap...@mizera.cz wrote:
RFC 3161 is written badly. The whole text was a joke anyway.
The requester SHALL verify that the
TimeStampToken contains the correct certificate identifier of the TSA
One may
Hello,
I found the following:
http://tsa.postsignum.cz:444
produces the following error, when using this as time stamp server with
adobe standard/pro
BER decoding error
what software do they use?
my solution with OpenSSL works ...
Greetings,
Walter
smime.p7s
Description: S/MIME
You should have received an HTTP 400 error, with an HTML page. The
service behind it may not be RFC3161 compliant, it may even not be
advertised as RFC3161 compliant.
Your solution works, but it doesn't answer the problem.
--
Erwann ABALEA
-
québésectophile: séparatiste québécois
Le
Dne 12.3.2013 20:36, Walter H. napsal(a):
Hello,
I found the following:
http://tsa.postsignum.cz:444
do you have account by this TSA ?
produces the following error, when using this as time stamp server with
adobe standard/pro
BER decoding error
Are you sure you (adobe program) get
timestamps contain in
addition Time Attribute Certificate - TAC included according to RFC
3126. They are RFC 3161 according and other clients works OK, it must
be bug of OpenSSL.
My knowledge is too low and I'm not programmer to debug and
understand it. Can someone test it, please
Am 11.03.2013 13:01, schrieb kap...@mizera.cz:
P.S: is this forum monitored by developers of openssl or should I report
it in devel forum?
At least Stephen Henson answers regularily in this mailing list (as you
can see by looking into a couple of threads), therefore i would stay in
this
On Mon, Mar 11, 2013, Richard Knning wrote:
Am 11.03.2013 13:01, schrieb kap...@mizera.cz:
P.S: is this forum monitored by developers of openssl or should I report
it in devel forum?
At least Stephen Henson answers regularily in this mailing list (as
you can see by looking into a couple
Hello,
Dne 11.3.2013 17:33, Dr. Stephen Henson napsal(a):
As to the OP query. I'm not that familiar with the timestamping code. OpenSSL
doesn't support attribute certificates and adding support is not trivial.
The attribute certificates are common possible in CMS, not just in TS =
attr.
On 03/11/2013 06:43 PM, kap...@mizera.cz wrote:
Hello,
...
As I know, the attr. certs are not very necessary = that is why I mean, that temporary solution
would be to ignore them in verification process. At least in TS it would solve the problem.
Just for info: converting te stuff to
Could you please explain it in detail ?
Commands sentence as example ?
INPUT:
- timestamp reply
- certificates (whole chain)
COMMANDS:
OUTPUT:
successful verification
Thanks --kapetr
Dne 11.3.2013 19:39, Peter Sylvester napsal(a):
On 03/11/2013 06:43 PM, kap...@mizera.cz wrote:
On Mon, Mar 11, 2013, kap...@mizera.cz wrote:
Hello,
Dne 11.3.2013 17:33, Dr. Stephen Henson napsal(a):
As to the OP query. I'm not that familiar with the timestamping code. OpenSSL
doesn't support attribute certificates and adding support is not trivial.
The attribute certificates are
Of course YES.
Timestamp reply is nothing else as CMS SignedData structure.
--kapetr
Dne 11.3.2013 19:51, Dr. Stephen Henson napsal(a):
On Mon, Mar 11, 2013, kap...@mizera.cz wrote:
Hello,
Dne 11.3.2013 17:33, Dr. Stephen Henson napsal(a):
As to the OP query. I'm not that familiar with the
Hello,
try this for generating the TSA-reply
openssl ts -reply -config openssl.cnf -section tsa_timestamp -queryfile
TSA-query -inkey ts.key -signer ts.crt -out TSA-reply
where ts.crt and ts.key are the timestamping certificate and private key
(without passphrase)
and TSA-query is the
the second ess certid says
SEQUENCE {
OCTET STRING
52 EE 29 A7 35 03 04 F8 94 21 48 72 76 9F 24 78
EB 6C D7 AC
}
by 3721926ea67e877df5f4e35dd3c87397eef33d4f
is the hash of the der version of te
On 03/11/2013 08:01 PM, kap...@mizera.cz wrote:
Of course YES.
Timestamp reply is nothing else as CMS SignedData structure.
not quite but ts -reply -tokenout converts it to such a thing
__
OpenSSL Project
Thank you,
but this thread is about TS from real Certification Authority and
problem with attribute certificates.
--kapetr
Dne 11.3.2013 21:16, Walter H. napsal(a):
Hello,
try this for generating the TSA-reply
openssl ts -reply -config openssl.cnf -section tsa_timestamp -queryfile
Dne 11.3.2013 21:42, Peter Sylvester napsal(a):
the second ess certid says
SEQUENCE {
OCTET STRING
52 EE 29 A7 35 03 04 F8 94 21 48 72 76 9F 24 78
EB 6C D7 AC
}
by
On 03/11/2013 10:31 PM, kap...@mizera.cz wrote:
Dne 11.3.2013 21:42, Peter Sylvester napsal(a):
the second ess certid says
SEQUENCE {
OCTET STRING
52 EE 29 A7 35 03 04 F8 94 21 48 72 76 9F 24 78
EB 6C D7 AC
That is what we talk about here.
Try to check previous posts in this thread.
--kapetr
Dne 11.3.2013 22:51, Peter Sylvester napsal(a):
On 03/11/2013 10:31 PM, kap...@mizera.cz wrote:
Dne 11.3.2013 21:42, Peter Sylvester napsal(a):
the second ess certid says
SEQUENCE {
Just note.
I accidentally deleted: http://2i.cz/dcc5b69c4f
Here is new copy: http://2i.cz/0f81f2d80b
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Do you think OpenSSL is a game?
On 11.03.2013 22:02, kap...@mizera.cz wrote:
Thank you,
but this thread is about TS from real Certification Authority and
problem with attribute certificates.
--kapetr
Dne 11.3.2013 21:16, Walter H. napsal(a):
Hello,
try this for generating the TSA-reply
should be possible even for
no-programmer. What about access via web form ?
--kapetr
Dne 1.2.2013 23:55, Jaime Hablutzel Egoavil napsal(a):
Hi, maybe this question is a little bit off topic but I can't find
anywhere to ask it. Do you know a RFC 3161 (time-stamp protocol) GUI
that allows to create
translation - sorry): our timestamps contain in addition
Time Attribute Certificate - TAC included according to RFC 3126. They are
RFC 3161 according and other clients works OK, it must be bug of OpenSSL.
My knowledge is too low and I'm not programmer to debug and understand it.
Can someone test
Hello,
My CA Authority (Europe Union qualified!) claims - there is Bug in OpenSSL =
verifying digi. timestamp fails.
The CA says (my bad translation - sorry): our timestamps contain in addition
Time Attribute Certificate - TAC included according to RFC 3126. They are
RFC 3161 according
Title: RFC 3161
Does OpenSSL implements RFC 3161 (timestamping)? Do you know for any toolkit supporting it?
Thank you,
Milan
Milan Tomic wrote:
Does OpenSSL implements RFC 3161 (timestamping)?
no
Do you know for any toolkit supporting it?
try:
http://www.opentsa.org/ or
https://www.openevidence.org/
Cheers,
Nils
__
OpenSSL Project
: Bob Steele [EMAIL PROTECTED]
To: 'Zoltán Glózik' [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Friday, June 07, 2002 6:42 PM
Subject: Re: Is it possible/appropriate to add a timestamp (RFC 3161) to a
PKCS#7?
You are on the right track - it should be possible to attach
a time stamp token to a PKCS7
Hi Bob,
Judging from what you wrote you might want to implement a
'content timestamp', which is added to the authenticated
attributes and contains a timestamp over the encapsulated
content info. This will not give a proof of the signing
time, just the existence of the data at a
On Thu, Jun 06, 2002 at 05:17:48PM -0700, Bob Steele wrote:
This might be a nonsensical question, and if so it
wouldn't be my first foolish question here:
Is it possible or appropriate to add a timestamp object
(RFC 3161) to a PKCS#7 signature during the signature's
creation
Hi Bob,
You are on the right track - it should be possible to attach a time stamp token to a
PKCS7 token. However, there are several options depending on what you want to time
stamp. The two most obvious ones being:
- if you want to prove the existence of the orignal content at a particular
No, Bob wants to know:
Does PKCS#7 support additional signed attributes?
The answer is yes.
/r$
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
48 matches
Mail list logo