Network Working Group                                           C. Adams
Request for Comments: 3029                          Entrust Technologies
Category: Experimental                                      P. Sylvester
                                     EdelWeb SA - Groupe ON-X Consulting
                                                            M. Zolotarev
                                      Baltimore Technologies Pty Limited
                                                           R. Zuccherato
                                                    Entrust Technologies
                                                           February 2001
        
Network Working Group                                           C. Adams
Request for Comments: 3029                          Entrust Technologies
Category: Experimental                                      P. Sylvester
                                     EdelWeb SA - Groupe ON-X Consulting
                                                            M. Zolotarev
                                      Baltimore Technologies Pty Limited
                                                           R. Zuccherato
                                                    Entrust Technologies
                                                           February 2001
        

Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols

Internet X.509公钥基础结构数据验证和认证服务器协议

Status of this Memo

本备忘录的状况

This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited.

这份备忘录为互联网社区定义了一个实验性协议。它没有规定任何类型的互联网标准。要求进行讨论并提出改进建议。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2001). All Rights Reserved.

版权所有(C)互联网协会(2001年)。版权所有。

Abstract

摘要

This document describes a general Data Validation and Certification Server (DVCS) and the protocols to be used when communicating with it. The Data Validation and Certification Server is a Trusted Third Party (TTP) that can be used as one component in building reliable non-repudiation services.

本文档描述了通用数据验证和认证服务器(DVCS)及其通信时使用的协议。数据验证和认证服务器是可信任的第三方(TTP),可作为构建可靠的不可否认服务的一个组件。

Useful Data Validation and Certification Server responsibilities in a PKI are to assert the validity of signed documents, public key certificates, and the possession or existence of data.

PKI中有用的数据验证和认证服务器的职责是断言已签名文档、公钥证书以及数据的拥有或存在的有效性。

Assertions created by this protocol are called Data Validation Certificates (DVC).

由该协议创建的断言称为数据验证证书(DVC)。

We give examples of how to use the Data Validation and Certification Server to extend the lifetime of a signature beyond key expiry or revocation and to query the Data Validation and Certification Server regarding the status of a public key certificate. The document includes a complete example of a time stamping transaction.

我们举例说明如何使用数据验证和认证服务器将签名的生存期延长到密钥过期或吊销之后,以及如何查询数据验证和认证服务器有关公钥证书的状态。该文档包括时间戳事务的完整示例。

Table of Contents

目录

   1. Introduction .................................................  2
   2. Services provided by DVCS ....................................  4
    2.1 Certification of Possession of Data ........................  4
    2.2 Certification of Claim of Possession of Data ...............  4
    2.3 Validation of Digitally Signed Documents ...................  4
    2.4 Validation of Public Key Certificates ......................  5
   3. Data Certification Server Usage and Scenarii .................  5
   4. Functional Requirements for DVCS .............................  7
   5. Data Certification Server Transactions .......................  7
   6. Identification of the DVCS ...................................  8
   7. Common Data Types ............................................  9
    7.1 Version ....................................................  9
    7.2 DigestInfo ................................................. 10
    7.3. Time Values ............................................... 10
    7.4. PKIStatusInfo ............................................. 11
    7.5. TargetEtcChain ............................................ 11
    7.6. DVCSRequestInformation .................................... 12
    7.7. GeneralName and GeneralNames .............................. 13
   8. Data Validation and Certification Requests ................... 13
   9. DVCS Responses ............................................... 17
    9.1. Data Validation Certificate ............................... 18
    9.2. DVCS Error Notification ................................... 21
   10. Transports .................................................. 22
    10.1 DVCS Protocol via HTTP or HTTPS ........................... 22
    10.2 DVCS Protocol Using Email ................................. 22
   11. Security Considerations ..................................... 23
   12. Patent Information .......................................... 23
   13. References .................................................. 25
   14. Authors' Addresses .......................................... 26
   APPENDIX A - PKCS #9 Attribute .................................. 27
   APPENDIX B - Signed document validation ......................... 27
   APPENDIX C - Verifying the Status of a Public Key Certificate ... 28
   Appendix D - MIME Registration .................................. 30
   Appendix E - ASN.1 Module using 1988 Syntax ..................... 31
   Appendix F - Examples ........................................... 34
   Appendix G - Acknowledgements ................................... 50
   Full Copyright Statement ........................................ 51
        
   1. Introduction .................................................  2
   2. Services provided by DVCS ....................................  4
    2.1 Certification of Possession of Data ........................  4
    2.2 Certification of Claim of Possession of Data ...............  4
    2.3 Validation of Digitally Signed Documents ...................  4
    2.4 Validation of Public Key Certificates ......................  5
   3. Data Certification Server Usage and Scenarii .................  5
   4. Functional Requirements for DVCS .............................  7
   5. Data Certification Server Transactions .......................  7
   6. Identification of the DVCS ...................................  8
   7. Common Data Types ............................................  9
    7.1 Version ....................................................  9
    7.2 DigestInfo ................................................. 10
    7.3. Time Values ............................................... 10
    7.4. PKIStatusInfo ............................................. 11
    7.5. TargetEtcChain ............................................ 11
    7.6. DVCSRequestInformation .................................... 12
    7.7. GeneralName and GeneralNames .............................. 13
   8. Data Validation and Certification Requests ................... 13
   9. DVCS Responses ............................................... 17
    9.1. Data Validation Certificate ............................... 18
    9.2. DVCS Error Notification ................................... 21
   10. Transports .................................................. 22
    10.1 DVCS Protocol via HTTP or HTTPS ........................... 22
    10.2 DVCS Protocol Using Email ................................. 22
   11. Security Considerations ..................................... 23
   12. Patent Information .......................................... 23
   13. References .................................................. 25
   14. Authors' Addresses .......................................... 26
   APPENDIX A - PKCS #9 Attribute .................................. 27
   APPENDIX B - Signed document validation ......................... 27
   APPENDIX C - Verifying the Status of a Public Key Certificate ... 28
   Appendix D - MIME Registration .................................. 30
   Appendix E - ASN.1 Module using 1988 Syntax ..................... 31
   Appendix F - Examples ........................................... 34
   Appendix G - Acknowledgements ................................... 50
   Full Copyright Statement ........................................ 51
        
1. Introduction
1. 介绍

This document is the result of work that has been proposed and discussed within the IETF PKIX working group. The authors and some members of the group felt that promoting the rather new concepts into the standards process seemed premature. The concepts presented have been stable for some time and partially implemented. It was agreed that a publication as experimental RFC was an appropriate means to

本文件是IETF PKIX工作组提出并讨论的工作成果。作者和该小组的一些成员认为,将相当新的概念推广到标准过程中似乎为时过早。提出的概念已经稳定了一段时间,并且部分实现。大家一致认为,作为实验性RFC的出版物是一种适当的方法

get a stable reference document to permit other implementations to occur.

获取一个稳定的参考文档,以允许其他实现。

The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase, as shown) are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应该”、“不应该”、“建议”、“可以”和“可选”(大写,如图所示)应按照[RFC2119]中所述进行解释。

A Data Validation and Certification Server (DVCS) is a Trusted Third Party (TTP) providing data validation services, asserting correctness of digitally signed documents, validity of public key certificates, and possession or existence of data.

数据验证和认证服务器(DVCS)是一个可信的第三方(TTP),提供数据验证服务,断言数字签名文档的正确性、公钥证书的有效性以及数据的拥有或存在。

As a result of the validation, a DVCS generates a Data Validation Certificate (DVC). The data validation certificate can be used for constructing evidence of non-repudiation relating to the validity and correctness of an entity's claim to possess data, the validity and revocation status of an entity's public key certificate and the validity and correctness of a digitally signed document.

作为验证的结果,DVCS生成数据验证证书(DVC)。数据验证证书可用于构建不可否认性证据,该证据与实体声称拥有数据的有效性和正确性、实体公钥证书的有效性和撤销状态以及数字签名文档的有效性和正确性有关。

Services provided by a DVCS do not replace the usage of CRLs and OCSP for public key certificate revocation checking in large open environments, due to concerns about the scalability of the protocol.

由于担心协议的可扩展性,DVCS提供的服务不能替代CRLs和OCSP在大型开放环境中用于公钥证书撤销检查。

It should be rather used to support non-repudiation or to supplement more traditional services concerning paperless document environments. The presence of a data validation certificate supports non-repudiation by providing evidence that a digitally signed document or public key certificate was valid at the time indicated in the DVC.

它应该被用来支持不可否认性,或者补充有关无纸文档环境的更传统的服务。数据验证证书的存在通过提供数字签名文档或公钥证书在DVC中指示的时间有效的证据来支持不可否认性。

A DVC validating a public key certificate can for example be used even after the public key certificate expires and its revocation information is no longer or not easily available. Determining the validity of a DVC is assumed to be a simpler task, for example, if the population of DVCS is significantly smaller than the population of public key certificate owners.

验证公钥证书的DVC例如甚至可以在公钥证书过期并且其撤销信息不再可用或不容易获得之后使用。例如,如果DVC的数量明显小于公钥证书所有者的数量,则确定DVC的有效性被认为是一项更简单的任务。

An important feature of the protocol is that DVCs can be validated by using the same protocol (not necessarily using the same service), and the validity of a signed document, in particular a DVC, can also be determined by means other than by verifying its signature(s), e.g., by comparing against an archive.

该协议的一个重要特征是,可以通过使用相同的协议(不一定使用相同的服务)来验证DVC,并且也可以通过验证其签名以外的方式来确定已签名文档(尤其是DVC)的有效性,例如,通过与存档进行比较。

The production of a data validation certificate in response to a signed request for validation of a signed document or public key certificate also provides evidence that due diligence was performed by the requester in validating a digital signature or public key certificate.

为响应签名文件或公钥证书的签名验证请求而生成的数据验证证书也提供了证据,证明请求者在验证数字签名或公钥证书时进行了尽职调查。

This document defines the use of digital signatures to insure the authenticity of documents and DVCs, and uses a corresponding terminology; the use of other methods to provide evidence for authenticity is not excluded, in particular it is possible to replace a SignedData security envelope by another one.

本文件定义了数字签名的使用,以确保文件和DVC的真实性,并使用了相应的术语;不排除使用其他方法提供真实性证据,特别是可以用另一个安全信封替换签名数据安全信封。

2. Services provided by DVCS
2. DVCS提供的服务

The current specification defines 4 types of validation and certification services:

当前规范定义了4种类型的验证和认证服务:

- Certification of Possession of Data (cpd), - Certification of Claim of Possession of Data (ccpd), - Validation of Digitally Signed Document (vsd), and - Validation of Public Key Certificates (vpkc).

- 数据占有证明(cpd)、数据占有声明证明(ccpd)、数字签名文档验证(vsd)和公钥证书验证(vpkc)。

A DVCS MUST support at least a subset of these services. A DVCS may support a restricted vsd service allowing to validate data validation certificates.

DVCS必须至少支持这些服务的一个子集。DVCS可支持允许验证数据验证证书的受限vsd服务。

On completion of each service, the DVCS produces a data validation certificate - a signed document containing the validation results and trustworthy time information.

完成每项服务后,DVCS将生成一份数据验证证书——一份包含验证结果和可信时间信息的签名文档。

2.1 Certification of Possession of Data
2.1 拥有数据的证明

The Certification of Possession of Data service provides evidence that the requester possessed data at the time indicated and that the actual data were presented to the Data Validation Server.

数据服务占有证明提供证据,证明请求者在指定时间拥有数据,并且实际数据已提交给数据验证服务器。

2.2 Certification of Claim of Possession of Data
2.2 声称管有资料的证明书

The Certification of Claim of Possession of Data service is similar to the previous one, except that the requester does not present the data itself but a message digest.

声明拥有数据服务的认证与前一种类似,只是请求者不提供数据本身,而是提供消息摘要。

2.3 Validation of Digitally Signed Documents
2.3 数字签名文件的验证

The Validation of Digitally Signed Document service is used when validity of a signed document is to be asserted.

数字签名文档服务的验证在声明签名文档的有效性时使用。

The DVCS verifies all signatures attached to the signed document using all appropriate status information and public key certificates. The DVCS verifies the mathematical correctness of all signatures attached to the document and also checks whether the signing entities can be trusted, for example by validating the full certification path from the signing entities to a trusted point (e.g., the DVCS's CA, or the root CA in a hierarchy).

DVCS使用所有适当的状态信息和公钥证书验证附加到已签名文档的所有签名。DVCS验证附加到文档的所有签名的数学正确性,并且还检查签名实体是否可信,例如通过验证从签名实体到可信点(例如,DVCS的CA或层次结构中的根CA)的完整认证路径。

The DVCS may be able to rely on relevant CRLs or may need to supplement this with access to more current status information from the CAs for example by accessing an OCSP service, a trusted directory service, or other DVCS services.

DVCS可能能够依赖相关CRL,或者可能需要通过例如通过访问OCSP服务、可信目录服务或其他DVCS服务来访问来自CAs的更多当前状态信息来补充这一点。

The DVCS will perform verification of all signatures attached to the signed document. A failure of the verification of one of the signatures does not necessarily result in the failure of the entire validation, and vice versa, a global failure may occur if the document has an insufficient number of signatures.

DVCS将对签名文件所附的所有签名进行验证。其中一个签名验证失败不一定会导致整个验证失败,反之亦然,如果文档的签名数量不足,则可能会发生全局失败。

2.4 Validation of Public Key Certificates
2.4 公钥证书的验证

The Validation of Public Key Certificates service is used to verify and assert the validity (according to [RFC2459]) of one or more public key certificates at the specified time.

公钥证书验证服务用于在指定时间验证和断言一个或多个公钥证书的有效性(根据[RFC2459])。

When verifying a public key certificate, the DVCS verifies that the certificate included in the request is a valid certificate and determines its revocation status at a specified time. DVS checks the full certification path from the certificate's issuer to a trusted point. Again, the DVCS MAY be able to rely on external information (CRL, OCSP, DVCS).

验证公钥证书时,DVCS将验证请求中包含的证书是否有效,并在指定时间确定其吊销状态。DVS检查从证书颁发者到受信任点的完整证书路径。同样,DVCS可以依赖外部信息(CRL、OCSP、DVCS)。

3. Data Certification Server Usage and Scenarii.

3. 数据认证服务器的使用和场景。

It is outside the scope of this document to completely describe different operational scenarii or usages for DVCS.

完全描述DVC的不同操作场景或用途不在本文件范围内。

See Appendix B and C for a set of some basic examples and use cases.

有关一些基本示例和用例的集合,请参见附录B和C。

The Validate Signed Document service can be used to support non-repudiation services, to allow use of the signed document beyond public key certificate revocation or expiry, or simply to delegate signature validation to a trusted central (company wide) service.

验证签名文档服务可用于支持不可否认性服务,允许在公钥证书吊销或到期后使用签名文档,或仅将签名验证委托给受信任的中心(公司范围)服务。

The Validate Public Key Certificate service can be used when timely information regarding a certificate's revocation status is required (e.g., high value funds transfer or the compromise of a highly sensitive key) or when evidence supporting non-repudiation is required.

当需要有关证书吊销状态的及时信息(例如,大额资金转账或高度敏感密钥泄露)或需要支持不可否认性的证据时,可以使用验证公钥证书服务。

A data validation certificate may be used to simplify the validation of a signature beyond the expiry or subsequent revocation of the signing certificate: a Data validation certificate used as an authenticated attribute in a signature includes an additional

数据验证证书可用于简化签名证书过期或随后撤销后的签名验证:用作签名中经过身份验证的属性的数据验证证书包括附加的

assertion about the usability of a certificate that was used for signing. In order to validate such a signature it may be sufficient to only validate the data validation certificate.

关于用于签名的证书可用性的断言。为了验证此类签名,仅验证数据验证证书就足够了。

A DVCS may include additional key exchange certificates in a data validation certificate to validate a key exchange certificate in order to provide to an application a set of additional authorised recipients for which a session key should also be encrypted. This can be used for example to provide central management of a company wide recovery scheme. Note, that the additional certificates may not only depend on the requested certificate, but also on the requester's identity.

DVCS可以在数据验证证书中包括额外的密钥交换证书,以验证密钥交换证书,以便向应用程序提供一组额外的授权接收者,其中会话密钥也应该被加密。例如,这可用于为公司范围的恢复计划提供集中管理。请注意,附加证书可能不仅取决于请求的证书,还取决于请求者的身份。

The Certification of Claim of Possession of Data service is also known as time stamping.

声称拥有数据服务的证明也称为时间戳。

The Certification of Possession of Data service can be used to assert legal deposit of documents, or to implement archival services as a trusted third party service.

拥有数据服务的认证可用于主张文件的合法存放,或作为可信的第三方服务实施归档服务。

The Data Validation and Certification Server Protocols can be used in different service contexts. Examples include company-wide centralised services (verification of signatures, certification of company certificates), services to cooperate in a multi-organization community, or general third party services for time stamping or data archival.

数据验证和认证服务器协议可以在不同的服务上下文中使用。例如,公司范围的集中服务(签名验证、公司证书认证)、多组织社区合作服务,或时间戳或数据存档的一般第三方服务。

An important application of DVCS is an enterprise environment where all security decisions are based on company wide rules. A company wide DVCS service can be used to delegate all technical decisions (e.g., path validation, trust configuration) to a centrally managed service.

DVCS的一个重要应用是企业环境,其中所有安全决策都基于公司范围的规则。公司范围的DVCS服务可用于将所有技术决策(例如,路径验证、信任配置)委托给集中管理的服务。

In all cases, the trust that PKI entities have in the Data Validation and Certification Server is transferred to the contents of the Data Validation Certificate (just as trust in a CA is transferred to the public key certificates that it issues).

在所有情况下,PKI实体对数据验证和认证服务器的信任都会转移到数据验证证书的内容上(就像对CA的信任转移到它颁发的公钥证书上一样)。

A DVCS service may be combined with or use archiving and logging systems, in order to serve as a strong building block in non-repudiation services. In this sense it can be regarded as an Evidence Recording Authority [ISO-NR].

DVCS服务可以与归档和日志系统结合使用,以作为不可否认性服务中的强大构建块。从这个意义上讲,它可以被视为证据记录机构[ISO-NR]。

4. Functional Requirements for DVCS
4. DVCS的功能要求

The DVCS MUST

DVCS必须

1. provide a signed response in the form of a data validation certificate to the requester, as defined by policy, or an error response. The DVCS service definition and the policy define how much information that has been used by the DVCS to generate the response will be included in a data validation certificate, e.g., public key certificates, CRLs, and responses from other OCSP servers, DVCS, or others.

1. 按照策略的定义,以数据验证证书的形式向请求者提供签名响应,或提供错误响应。DVCS服务定义和策略定义了DVCS用于生成响应的信息将包含在数据验证证书中的数量,例如公钥证书、CRL和来自其他OCSP服务器、DVC或其他服务器的响应。

2. indicate in the data validation certificate whether or not the signed document, the public key certificate(s), or the data were validated, and, if not, the reason why the verification failed.

2. 在数据验证证书中指出已签名文档、公钥证书或数据是否已验证,如果未验证,则说明验证失败的原因。

3. include a strictly monotonically increasing serial number in each data validation certificate.

3. 在每个数据验证证书中包含严格单调递增的序列号。

4. include a time of day value or a time stamp token into each data validation certificate.

4. 在每个数据验证证书中包含时间值或时间戳令牌。

5. sign each data certification token using a key that has been certified with a dvcs signing extended key purpose, and include a reference to this certificate as a signed attribute in the signature.

5. 使用已通过dvcs签名扩展密钥验证的密钥对每个数据证书令牌进行签名,并在签名中包含对此证书的引用作为签名属性。

6. check the validity of its own signing key and certificate before delivering data validation certificates and MUST not deliver data validation certificate in case of failure.

6. 在交付数据验证证书之前,请检查其自身签名密钥和证书的有效性,如果失败,则不得交付数据验证证书。

A DVCS SHOULD include within each data validation certificate a policy identifier to determine the trust and validation policy used for DVC's signature.

DVC应在每个数据验证证书中包含一个策略标识符,以确定用于DVC签名的信任和验证策略。

5. Data Certification Server Transactions
5. 数据认证服务器事务

A DVCS transaction begins with a client preparing a Data Validation and Certification Request. The request always contains data for which validity, correctness or possession is to be certified.

DVCS事务从客户端准备数据验证和认证请求开始。请求中始终包含需要证明其有效性、正确性或占有权的数据。

The request MAY be encapsulated using a security envelope to provide for authentication of both requester and server. Requester authentication can be achieved by several of the formats described in CMS, in particular, signedData.

可以使用安全信封封装请求,以提供请求者和服务器的认证。请求者身份验证可以通过CMS中描述的几种格式实现,特别是signedData。

The DVCS client chooses an appropriate transport mechanism to convey the requests to a DVCS. It may also be necessary to choose a transport mechanism providing confidentiality and, in particular, allowing authentication of the DVCS by the requestor, e.g., TLS or CMS or S/MIME encryption.

DVCS客户端选择适当的传输机制将请求传送到DVCS。还可能需要选择提供机密性的传输机制,特别是允许请求者对dvc进行认证,例如TLS或CMS或S/MIME加密。

If the request is valid, the DVCS performs all necessary verifications steps, and generates a Data Validation Certificate (DVC), and sends a response message containing the DVC back to the requestor.

如果请求有效,DVCS将执行所有必要的验证步骤,并生成数据验证证书(DVC),并将包含DVC的响应消息发送回请求者。

The Data Validation Certificate is formed as a signed document (CMS SignedData).

数据验证证书以签名文件(CMS SignedData)的形式形成。

As with the request, it may be necessary to choose a transport mechanism that provides for confidentiality to carry the DVC. DVCs are not necessarily transported the same way as requests, e.g., they can be returned using e-mail after an online request received via HTTPS.

与请求一样,可能需要选择提供机密性的传输机制来承载DVC。DVC的传输方式不一定与请求相同,例如,在通过HTTPS接收在线请求后,可以使用电子邮件返回DVC。

If the request was invalid, the DVCS generates a response message containing an appropriate error notification.

如果请求无效,DVCS将生成包含适当错误通知的响应消息。

Upon receiving the response, the requesting entity SHOULD verify its validity, i.e., whether it contains an acceptable time, the correct name for the DVCS, the correct request information and message imprint, a valid signature, and satisfactory status, service and policy fields.

收到回复后,请求实体应验证其有效性,即是否包含可接受的时间、DVC的正确名称、正确的请求信息和消息印记、有效的签名以及令人满意的状态、服务和策略字段。

When verifying the validity of a DVC, it is up to the requestor's application to check whether a DVCS's signing certificate is valid. Depending on the usage environment, different methods, online or out of band, e.g., CRLs, DVCS, or OCSP, may have to be used.

验证DVC的有效性时,由请求者的应用程序检查DVC的签名证书是否有效。根据使用环境,可能必须使用不同的方法,在线或带外,例如CRLs、DVCS或OCSP。

After all checks have passed, the data validation certificate can be used to authenticate the correctness or possession of the corresponding data.

通过所有检查后,数据验证证书可用于验证相应数据的正确性或拥有情况。

A DVCS may return more than one DVC corresponding to one request. In this case, all but one request have a global status of 'WAITING'.

DVCS可返回对应于一个请求的多个DVC。在这种情况下,除一个请求外,所有请求的全局状态都为“等待”。

6. Identification of the DVCS
6. DVC的识别

In order to be able to import elements from dvcs the following object identifier is used as a ASN.1 module identifier.

为了能够从dvcs导入元素,以下对象标识符用作ASN.1模块标识符。

   id-mod-dvcs OBJECT IDENTIFIER ::= {iso(1) identified-organization(3)
     dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 15}
        
   id-mod-dvcs OBJECT IDENTIFIER ::= {iso(1) identified-organization(3)
     dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 15}
        

The DVCS that use SignedData to provide authentication for DVCs MUST sign all data certification messages with a key whose corresponding certificate MUST contain the extended key usage field extension as defined in [RFC2459] Section 4.2.1.14 with KeyPurposeID having value id-kp-dvcs. This extension MUST be marked as critical.

使用SignedData为DVC提供身份验证的DVC必须使用密钥对所有数据认证消息进行签名,该密钥的相应证书必须包含[RFC2459]第4.2.1.14节中定义的扩展密钥使用字段扩展,并且KeyPurposeID具有值id kp DVCS。此扩展必须标记为关键。

The Data Validation Certificate MUST contain an ESSCertID authenticated attribute for the certificate used by the DVCS for signing.

数据验证证书必须包含DVCS用于签名的证书的ESSCertID authenticated属性。

   id-kp-dvcs  OBJECT IDENTIFIER ::= {iso(1) identified-organization(3)
        dod(6) internet(1) security(5) mechanisms(5) pkix(7) kp(3) 10}
        
   id-kp-dvcs  OBJECT IDENTIFIER ::= {iso(1) identified-organization(3)
        dod(6) internet(1) security(5) mechanisms(5) pkix(7) kp(3) 10}
        

Consistent KeyUsage bits:

一致密钥使用位:

digitalSignature, nonRepudiation, keyCertSign, cRLSign

数字签名、不可否认性、keyCertSign、cRLSign

A DVCS's certificate MAY contain an Authority Information Access extension [RFC2459] in order to convey the method of contacting the DVCS. The accessMethod field in this extension MUST contain the OID id-ad-dvcs:

DVCS的证书可以包含授权信息访问扩展[RFC2459],以便传达联系DVCS的方法。此扩展中的accessMethod字段必须包含OID id ad dvcs:

   id-ad-dvcs  OBJECT IDENTIFIER ::= {iso(1) identified-organization(3)
        dod(6) internet(1) security(5) mechanisms(5) pkix(7) ad(48) 4}
        
   id-ad-dvcs  OBJECT IDENTIFIER ::= {iso(1) identified-organization(3)
        dod(6) internet(1) security(5) mechanisms(5) pkix(7) ad(48) 4}
        

The value of the 'accessLocation' field defines the transport (e.g., an URI) used to access the DVCS.

“accessLocation”字段的值定义用于访问DVC的传输(例如URI)。

7. Common Data Types
7. 通用数据类型

There are several common data types that occur in the request and the response data structures. These data types are either defined by this document or imported from other sources. This chapter defines and describes these types and lists their usages.

请求和响应数据结构中有几种常见的数据类型。这些数据类型由本文档定义或从其他来源导入。本章定义和描述了这些类型,并列出了它们的用法。

7.1 Version:

7.1 版本:

The request and the response include an optional integer field specifying the version of the data structure. For both fields the value is 1, or the field is not present at all in this version of the protocol.

请求和响应包含一个可选的整数字段,指定数据结构的版本。对于这两个字段,值均为1,或者该字段在此版本的协议中根本不存在。

7.2 DigestInfo:

7.2 摘要信息:

This element is defined in [RFC2315]. Since the status of that document is informational, the definition is repeated here:

该元素在[RFC2315]中定义。由于该文档的状态是信息性的,因此此处重复该定义:

   DigestInfo ::= SEQUENCE {
       digestAlgorithm   DigestAlgorithmIdentifier,
       digest            Digest }
        
   DigestInfo ::= SEQUENCE {
       digestAlgorithm   DigestAlgorithmIdentifier,
       digest            Digest }
        
   Digest ::= OCTET STRING
        
   Digest ::= OCTET STRING
        

The fields of type DigestInfo have the following meanings:

DigestInfo类型的字段具有以下含义:

- The field 'digestAlgorithm' identifies the message-digest algorithm (and any associated parameters) under which data are digested.

- 字段“digestAlgorithm”标识用于对数据进行摘要处理的消息摘要算法(以及任何相关参数)。

- The field 'digest' is the result of the message-digesting process.

- 字段“摘要”是消息摘要处理的结果。

A DigestInfo is used in two places:

摘要信息用于两个地方:

- as a data portion for the ccpd service, and

- 作为ccpd服务的数据部分,以及

- in all a data validation certificates to hold a digest of the data portion of the corresponding request or a copy of the data field for a ccpd service.

- 在所有数据验证证书中,用于保存相应请求的数据部分摘要或ccpd服务的数据字段副本。

7.3. Time Values
7.3. 时间值

Indicators of time can be present in requests and responses. In the most simple form, the time is represented as GeneralizedTime where fractions of seconds are allowed.

时间指标可以出现在请求和响应中。在最简单的形式中,时间表示为GeneratedTime,其中允许秒的分数。

An alternate form is a timeStampToken from a TSA, or as a DVC (or some other token) from another third party service.

另一种形式是来自TSA的时间戳令牌,或来自另一个第三方服务的DVC(或某些其他令牌)。

It is a matter of policy whether a DVCS tries to interpret or validate a Time Value in a request.

DVCS是否试图解释或验证请求中的时间值是一个策略问题。

   DVCSTime ::= CHOICE  {
        genTime                      GeneralizedTime,
        timeStampToken               ContentInfo }
        
   DVCSTime ::= CHOICE  {
        genTime                      GeneralizedTime,
        timeStampToken               ContentInfo }
        

Future versions of the protocol MAY include additional time formats.

协议的未来版本可能包括附加的时间格式。

Time values generated by the DVCS are increasing but not necessarily unique, an order among DVCs is defined by serial numbers.

DVC生成的时间值在增加,但不一定是唯一的,DVC之间的顺序由序列号定义。

7.4. PKIStatusInfo
7.4. PKI状态信息

This structure is defined in [RFC2510]. It is used as component of the 'chain' field of a TargetEtcChain structure, and as a global status indicator in the DVCSResponse structure. Every occurrence of PKIStatusInfo is generated by the responding DVCS to reflect the result of some local verification.

该结构在[RFC2510]中定义。它用作TargetTCChain结构的“链”字段的组成部分,并用作DVCSResponse结构中的全局状态指示器。PKI状态信息的每次出现都由响应的DVC生成,以反映某些本地验证的结果。

7.5. TargetEtcChain
7.5. 目标链

A TargetEtcChain structure contains certificates and other indicators to describe either (in a request for a cpkc service) information to be validated, or the result of the verifications. The structure may also contain information about policies and policy mappings.

TargetTCChain结构包含用于描述(在cpkc服务请求中)要验证的信息或验证结果的证书和其他指标。该结构还可能包含有关策略和策略映射的信息。

The details about how to fill in and to interpret the structure are defined later for each service.

有关如何填写和解释结构的详细信息将在后面为每个服务定义。

The 'pathProcInput' field contains information about policies and policy mapping to be used or used during a validation.

“pathProcInput”字段包含有关验证期间要使用或使用的策略和策略映射的信息。

In a response, the 'pkistatus' and `certstatus' choices can only occur in the 'chain' sequence. If present, they contain the result of a local verification of the immediately preceding element, or of the target value, if it is the first element in the 'chain' sequence. If no 'pkistatus' or 'certstatus' is present, the DVCS considers all elements in the 'chain' as trustworthy. Note, that there may be a valid OCSP response or DVC indicating an invalid certificate.

在响应中,“pkistatus”和“certstatus”选项只能在“chain”序列中出现。如果存在,则它们包含前一个元素的局部验证结果,如果是“链”序列中的第一个元素,则包含目标值的局部验证结果。如果不存在“pkistatus”或“certstatus”,则DVCS认为“链”中的所有元素都是可信的。请注意,可能存在有效的OCSP响应或DVC,指示证书无效。

   TargetEtcChain ::= SEQUENCE {
        target                       CertEtcToken,
        chain                        SEQUENCE SIZE (1..MAX) OF
                                        CertEtcToken OPTIONAL,
        pathProcInput                [0] PathProcInput OPTIONAL }
        
   TargetEtcChain ::= SEQUENCE {
        target                       CertEtcToken,
        chain                        SEQUENCE SIZE (1..MAX) OF
                                        CertEtcToken OPTIONAL,
        pathProcInput                [0] PathProcInput OPTIONAL }
        
   PathProcInput ::= SEQUENCE {
        acceptablePolicySet          SEQUENCE SIZE (1..MAX) OF
                                        PolicyInformation,
        inhibitPolicyMapping         BOOLEAN DEFAULT FALSE,
        explicitPolicyReqd           BOOLEAN DEFAULT FALSE }
        
   PathProcInput ::= SEQUENCE {
        acceptablePolicySet          SEQUENCE SIZE (1..MAX) OF
                                        PolicyInformation,
        inhibitPolicyMapping         BOOLEAN DEFAULT FALSE,
        explicitPolicyReqd           BOOLEAN DEFAULT FALSE }
        
   CertEtcToken ::= CHOICE {
        
   CertEtcToken ::= CHOICE {
        

certificate [0] IMPLICIT Certificate , esscertid [1] ESSCertId , pkistatus [2] IMPLICIT PKIStatusInfo , assertion [3] ContentInfo , crl [4] IMPLICIT CertificateList,

证书[0]隐式证书,esscertid[1]esscertid,pkistatus[2]隐式PKIStatusInfo,断言[3]内容信息,crl[4]隐式证书列表,

ocspcertstatus [5] IMPLICIT CertStatus, oscpcertid [6] IMPLICIT CertId , oscpresponse [7] IMPLICIT OCSPResponse, capabilities [8] SMIMECapabilities, extension Extension }

ocspcertstatus[5]隐式CertStatus,oscpcertid[6]隐式CertId,oscpresponse[7]隐式OCSPResponse,功能[8]smimecapability,扩展}

Certificate, PolicyInformation and CertificateList are defined in [RFC2459]. ESSCertId is defined in [RFC2634]. CertId, OCSPResponse and CertStatus are defined in [RFC2560]. PKIStatusField is defined in [RFC2510].

[RFC2459]中定义了证书、保单信息和证书列表。[RFC2634]中定义了ESSCertId。CertId、OCSPResponse和CertStatus在[RFC2560]中定义。PKI状态字段在[RFC2510]中定义。

The choice 'assertion' can contain a data validation certificate, or a timeStamp, or other assertions.

“断言”选项可以包含数据验证证书、时间戳或其他断言。

The choices 'assertion', 'ocspresponse' and 'crl' are provided by services external to the responding DVCS. The choices 'certStatus' and 'pkistatus' reflect decisions made directly by the responding DVCS.

“断言”、“ocspresponse”和“crl”选项由响应DVC外部的服务提供。选择“certStatus”和“pkistatus”反映了响应DVC直接做出的决策。

As a replacement for certificates, certification identifiers (ESSCertId, CertId) MAY be used in requests and responses, if this is sufficient to perform the service, e.g., when the corresponding certificates are provided elsewhere in a request or response (as part of the SignedData type).

作为证书的替代,如果证书标识符(ESSCertId,CertId)足以执行服务,则可以在请求和响应中使用证书标识符(ESSCertId,CertId),例如,当在请求或响应的其他位置提供相应的证书时(作为SignedData类型的一部分)。

Certificate or certification identifiers of certification authorities MAY occur in any order and MAY represent several certification chains.

认证机构的证书或认证标识符可以以任何顺序出现,并且可以代表多个认证链。

The choice 'capabilities' can be used to indicate SMIMECapabilities. It applies to the certificate identified by the preceding element in the sequence.

“能力”选项可用于表示smimecapability。它适用于序列中前面元素标识的证书。

7.6. DVCSRequestInformation
7.6. DVCSRequestInformation

A DVCSRequestInformation data structure contains general information about the Data Validation and Certification Request. This structure occurs in a request, and is also included in a corresponding Data Validation Certificate.

DVCSRequestInformation数据结构包含有关数据验证和认证请求的一般信息。此结构出现在请求中,也包含在相应的数据验证证书中。

   DVCSRequestInformation ::= SEQUENCE  {
        
   DVCSRequestInformation ::= SEQUENCE  {
        

version INTEGER DEFAULT 1 , service ServiceType, nonce INTEGER OPTIONAL, requestTime DVCSTime OPTIONAL, requester [0] GeneralNames OPTIONAL, requestPolicy [1] PolicyInformation OPTIONAL,

version INTEGER默认值1,service ServiceType,nonce INTEGER可选,requestTime DVCSTime可选,requester[0]GeneralNames可选,requestPolicy[1]PolicyInformation可选,

dvcs [2] GeneralNames OPTIONAL, dataLocations [3] GeneralNames OPTIONAL, extensions [4] IMPLICIT Extensions OPTIONAL }

dvcs[2]通用名称可选,数据位置[3]通用名称可选,扩展[4]隐式扩展可选}

The ServiceType type enumerates the DVCS service type of a request. See chapter 2 for the description of the services.

ServiceType类型枚举请求的DVCS服务类型。有关服务的说明,请参见第2章。

   ServiceType ::= ENUMERATED { cpd(1), vsd(2), cpkc(3), ccpd(4) }
        
   ServiceType ::= ENUMERATED { cpd(1), vsd(2), cpkc(3), ccpd(4) }
        
7.7. GeneralName and GeneralNames
7.7. GeneralName和GeneralName

There are several occurrences of SEQUENCES of GeneralName and GeneralNames. These structures are imported from [RFC2459].

GeneralName和GeneralName序列多次出现。这些结构是从[RFC2459]导入的。

8. Data Validation and Certification Requests
8. 数据验证和认证请求

A Data Validation and Certification request is a ContentInfo defined in [RFC2630].

数据验证和认证请求是[RFC2630]中定义的ContentInfo。

It may consist of a [RFC2630] content with a contenttype id-ct-DVCSRequestData signalling a DVCSRequestData,

它可能由[RFC2630]内容组成,内容类型id为ct DVCSRequestData,表示DVCSRequestData,

   id-ct-DVCSRequestData OBJECT IDENTIFIER ::= {iso(1) member-body(2)
     us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 7}
        
   id-ct-DVCSRequestData OBJECT IDENTIFIER ::= {iso(1) member-body(2)
     us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 7}
        

These data are optionally encapsulated by contenttypes that provide for authentication and/or confidentiality.

这些数据可以选择由提供身份验证和/或机密性的ContentType封装。

This document describes the usage of a SignedData construct of [RFC2630] where the contenttype indicated in the eContentType of the encapContentInfo is id-ct-DVCSRequestData and the eContent of the encapContentInfo, carried as an octet string, contains a DVCSRequestData structure.

本文档描述了[RFC2630]的SignedData构造的用法,其中encapContentInfo的EcontType中指示的contenttype是id ct DVCSRequestData,encapContentInfo的eContent作为八位字节字符串携带,包含DVCSRequestData结构。

When using a SignedData structure, a Data Validation and Certification Request MAY contain several SignerInfo structures, and countersignature attributes depending on operational environments. When an end user client creates the request, there is one or zero SignerInfo. A relaying DVCS MAY add an additional signature or a countersignature attribute, or MAY use another encapsulation from [RFC2630] that provides for authentication and/or confidentiality.

使用SignedData结构时,数据验证和认证请求可能包含多个SignerInfo结构和会签属性,具体取决于操作环境。当最终用户客户端创建请求时,有一个或零个SignerInfo。中继DVC可添加附加签名或会签属性,或可使用来自[RFC2630]的另一封装,该封装提供认证和/或机密性。

The content of a request consists of a description of the desired service and additional parameters, the data to be validated, and an optional identifier of the request.

请求的内容包括所需服务和附加参数的描述、要验证的数据以及请求的可选标识符。

   DVCSRequest ::= SEQUENCE  {
       requestInformation         DVCSRequestInformation,
       data                       Data,
       transactionIdentifier      GeneralName OPTIONAL
   }
        
   DVCSRequest ::= SEQUENCE  {
       requestInformation         DVCSRequestInformation,
       data                       Data,
       transactionIdentifier      GeneralName OPTIONAL
   }
        

The 'DVCSRequest.requestInformation' element contains general information about the request. It is filled in by the requester as follows:

“DVCSRequest.requestInformation”元素包含有关请求的一般信息。申请者填写如下:

- The 'version' field is set to 1 or the field is absent in this version of the protocol.

- “版本”字段设置为1,或者该字段在此版本的协议中不存在。

The field 'service' contains the requested service.

“服务”字段包含请求的服务。

- The 'nonce' field MAY be used to provide additional protection against replay or content guessing attacks.

- “nonce”字段可用于针对重播或内容猜测攻击提供额外保护。

- The 'requestTime' field MAY be used to indicate the time for which the requested service should be performed. For a vsd and cpkc service, it specifies the time for which the validity of a signed document or certicates is to be asserted. For the other service, the field is ignored by the DVCS. If the field is absent, the current time is assumed.

- “requestTime”字段可用于指示应执行请求服务的时间。对于vsd和cpkc服务,它指定声明已签名文档或证书的有效性的时间。对于其他服务,DVCS将忽略该字段。如果该字段不存在,则假定当前时间。

- The value of the 'requester' field indicates the requesting entity.

- “请求者”字段的值表示请求实体。

The interpretation and usage of this field MUST be defined by the DVCS policy.

此字段的解释和使用必须由DVCS政策定义。

Some usage examples are:

一些用法示例如下:

If the field is present, and the request is signed, a DVCS MAY require that the field MUST match the identity (subjectName or subjectAltName extension) of the corresponding signature certificate.

如果该字段存在且请求已签名,DVCS可能要求该字段必须与相应签名证书的标识(subjectName或subjectAltName扩展名)匹配。

A request MAY be signed by a DVCS when relaying it to another DVCS.

当请求中继到另一个DVCS时,DVCS可以对其进行签名。

When acting as a relay, a DVCS MAY add its own identity in the request relayed to another service provider, and it MAY remove the initial value.

当充当中继时,DVCS可以在中继到另一个服务提供商的请求中添加自己的标识,并且可以移除初始值。

- The 'requestPolicy' field SHOULD indicate the policy under which the validation is requested. This field MUST be checked by the DVCS to verify agreement with its own policy. The absence of this field indicates that any policy is acceptable.

- “requestPolicy”字段应指明请求验证的策略。DVCS必须检查此字段,以验证是否符合其自身的策略。如果没有此字段,则表示可以接受任何策略。

- The 'dvcs' field MAY be used to indicate a list of DVCS which can be contacted to provide (additional) information or to perform additional operations necessary to produce the response.

- “dvcs”字段可用于指示可联系以提供(附加)信息或执行产生响应所需的附加操作的dvcs列表。

It is up to the DVCS policy whether to honor this field or not, and to define which choice of a general name is acceptable (e.g., an URL or a DN).

由DVCS政策决定是否遵守此字段,并定义可接受的通用名称选择(例如URL或DN)。

- The 'dataLocations' field MAY be used to indicate where a copy of the 'data' field of the request or supplementary information can be obtained. The DVCS does not use this field for its own operation, the exact interpretation of this field is defined by applications.

- “数据位置”字段可用于指示可从何处获取请求或补充信息的“数据”字段副本。DVCS不将此字段用于其自身操作,此字段的准确解释由应用程序定义。

- The 'requestTime' field MAY be used to indicate the time for which the requested service should be performed. For a vsd and cpkc service, it specifies the time for which the validity of a signed document or certicates is to be asserted. For the other service, the field is ignored by the DVCS. If the field is absent, the current time is assumed. The DVCS service may have a time limit or a delta time limit regarding current time which are specified in the local policy of the DVCS service.

- “requestTime”字段可用于指示应执行请求服务的时间。对于vsd和cpkc服务,它指定声明已签名文档或证书的有效性的时间。对于其他服务,DVCS将忽略该字段。如果该字段不存在,则假定当前时间。DVCS服务可以具有在DVCS服务的本地策略中指定的关于当前时间的时间限制或增量时间限制。

- The 'extensions' field MAY be used to include additional information. Extensions may be marked critical or not in order to indicate whether the DVCS is supposed to understand them. This document does not define extensions.

- “扩展”字段可用于包含附加信息。扩展可以标记为关键或非关键,以指示DVC是否应该理解它们。本文档未定义扩展。

The DVCSRequest.data contains service-specific content, defined by each particular service provided by the DVCS.

DVCSRequest.data包含特定于服务的内容,由DVCS提供的每个特定服务定义。

Depending on the requested service type, the field may contain a signed document, a list of certificates, a message digest or arbitrary data.

根据请求的服务类型,该字段可能包含签名文档、证书列表、消息摘要或任意数据。

The following type is used:

使用以下类型:

   Data ::= CHOICE {
         message           OCTET STRING ,
         messageImprint    DigestInfo,
         certs             SEQUENCE SIZE (1..MAX) OF
                               TargetEtcChain
   }
        
   Data ::= CHOICE {
         message           OCTET STRING ,
         messageImprint    DigestInfo,
         certs             SEQUENCE SIZE (1..MAX) OF
                               TargetEtcChain
   }
        

The requester fills the 'data' element as follows:

请求者按如下方式填写“数据”元素:

- For a vsd service request, the requestor encapsulates a CMS SignedData object in the value octets of the 'message' choice.

- 对于vsd服务请求,请求者将CMS SignedData对象封装在“消息”选项的值八位字节中。

It is up to the requester to decide whether and how to provide any certificate that may be needed to verify the signature(s) in the signedData object. A requester MAY add certificates to the encapsulated signedData object or in the certificate list of the request.

由请求者决定是否以及如何提供可能需要的任何证书来验证signedData对象中的签名。请求者可以将证书添加到封装的signedData对象或请求的证书列表中。

- For a cpkc service request the 'certs' choice is used.

- 对于cpkc服务请求,使用“证书”选项。

Each certificate to be verified MUST be included in a separate instance of TargetEtcChain. The 'TargetEtcChain.chain' field, if present, indicates one or more chains of trust that can be used to validate the certificate. The DVCS MAY choose to select a subset of certificates as certification path, or to ignore this field. The 'TargetEtcChain.pathProcInput' field, if present, indicates the acceptable policy set and initial settings for explicit-policy-indicator and inhibit-policy-mapping indicators to be used in X.509 public key certificate path validation (see [RFC2459]).

每个要验证的证书必须包含在TargetTCChain的单独实例中。“targetTecchain.chain”字段(如果存在)表示可用于验证证书的一个或多个信任链。DVCS可选择选择证书子集作为认证路径,或忽略此字段。“targetTecchain.pathProcInput”字段(如果存在)表示可接受的策略集以及显式策略指示符和禁止策略映射指示符的初始设置,以用于X.509公钥证书路径验证(请参见[RFC2459])。

Only the Certificate, ESSCertId, CertId or Extension choices of the TargetEtcChain can be used in the request.

请求中只能使用TargetTCChain的证书、ESSCertId、CertId或扩展选项。

The requester is responsible for providing sufficient information to the DVCS to identify the corresponding certificates.

请求者负责向DVCS提供足够的信息,以识别相应的证书。

- For a ccpd service the 'messageImprint' choice is used.

- 对于ccpd服务,使用“messageImprint”选项。

The hash algorithm indicated in the hashAlgorithm field SHOULD be a "strong" hash algorithm (that is, it SHOULD be one-way and collision resistant). It is up to the Data Certification Server to decide whether or not the given hash algorithm is sufficiently "strong" (based on the current state of knowledge in cryptanalysis and the current state of the art in computational resources, for example).

hashAlgorithm字段中指示的哈希算法应该是“强”哈希算法(也就是说,它应该是单向的和抗冲突的)。由数据认证服务器决定给定的哈希算法是否足够“强”(例如,基于密码分析的当前知识状态和计算资源的当前技术状态)。

- For a cpd service the 'message' choice is used.

- 对于cpd服务,使用“消息”选项。

The field contains requester-specific data with any type of content. The DVCS does not inspect, modify, or take any particular action based on the particular content of the 'message' field.

该字段包含具有任何类型内容的特定于请求者的数据。DVCS不会根据“消息”字段的特定内容检查、修改或采取任何特定操作。

The field 'DVCSRequest.transactionIdentifier' MAY be used in order to associate DVCS responses containing error messages, to requests. For example, in a mail based environment, the parameter could be a copy of a messageid. Note, that the transactionIdentifier is not necessary for associating a request with a valid data validation certificate.

字段“DVCSRequest.transactionIdentifier”可用于将包含错误消息的DVCS响应与请求关联。例如,在基于邮件的环境中,参数可以是messageid的副本。请注意,transactionIdentifier对于将请求与有效的数据验证证书关联不是必需的。

9. DVCS Responses
9. DVCS响应

This chapters describes the data structures that are created by a DVCS to indicate the results of validation and certification requests.

本章描述DVCS创建的数据结构,以指示验证和认证请求的结果。

A DVCS Response structure is generated by the DVCS as a result of processing of the data validation and certification request.

作为数据验证和认证请求处理的结果,DVCS生成DVCS响应结构。

A Data Validation response contains an [RFC2630] ContentInfo with a type of id-ct-DVCSResponseData signalling a DVCSResponse structure.

数据验证响应包含[RFC2630]ContentInfo,其id类型为ct DVCSResponseData,表示DVCSResponse结构。

   id-ct-DVCSResponseData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
       us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 8 }
        
   id-ct-DVCSResponseData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
       us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 8 }
        

The data MAY be encapsulated by constructs of [RFC2630] in order to provide authentication of the DVCS, and or integrity and confidentiality of the request. This document specifies the usage of a SignedData construct of [RFC2630].

数据可以由[RFC2630]的构造封装,以便提供dvc的认证和/或请求的完整性和机密性。本文档规定了[RFC2630]的SignedData构造的用法。

The contenttype indicated in the eContentType of the encapContentInfo is of type id-ct-DVCSResponseData, signalling a DVCSResponse as eContent of the encapContentInfo (carried as an octet string). The DVCS SHOULD use a key for which a corresponding certificate indicates in an extendedKeyUsage the purpose of DVCS signing.

encapContentInfo的eContentType中指示的contenttype类型为id ct DVCSResponseData,表示DVCSResponse作为encapContentInfo的eContent(作为八位字节字符串携带)。DVCS应使用相应证书在extendedKeyUsage中指示DVCS签名目的的密钥。

In a critical situation when a DVCS cannot produce a valid signature (if the DVCS's signing key is known to be compromised, for example), the DVCSResponse, containing the error notification, MUST be generated as a signedData with no signerInfo attached. Receiving unsigned DVCSResponse MUST be treated by the clients as a critical and fatal error, and the content of the message should not be implicitly trusted.

在DVCS无法生成有效签名的危急情况下(例如,如果已知DVCS的签名密钥已被泄露),包含错误通知的DVCS响应必须生成为未附加signerInfo的signedData。接收未签名的DVCSResponse时,客户端必须将其视为严重的致命错误,并且不应隐式信任消息的内容。

A valid response can contain one of the following:

有效响应可以包含以下内容之一:

1. A Data Validation Certificate (DVC), delivering the results of data validation operations, performed by the DVCS.

1. 数据验证证书(DVC),提供由DVCS执行的数据验证操作的结果。

2. An error notification. This may happen when a request fails due to a parsing error, requester authentication failure, or anything else that prevented the DVCS from executing the request.

2. 错误通知。当由于解析错误、请求者身份验证失败或任何其他阻止DVCS执行请求的原因导致请求失败时,可能会发生这种情况。

The following type is used:

使用以下类型:

   DVCSResponse ::= CHOICE {
       dvCertInfo         DVCSCertInfo ,
       dvErrorNote        [0] DVCSErrorNotice }
        
   DVCSResponse ::= CHOICE {
       dvCertInfo         DVCSCertInfo ,
       dvErrorNote        [0] DVCSErrorNotice }
        
9.1. Data Validation Certificate
9.1. 数据验证证书

A Data Validation Certificate is a signedData object containing a DVCSResponse with a 'dvCertInfo' choice.

数据验证证书是一个signedData对象,其中包含选择了“dvCertInfo”的DVCSResponse。

   DVCSCertInfo::= SEQUENCE  {
            version             Integer DEFAULT 1 ,
            dvReqInfo           DVCSRequestInformation,
            messageImprint      DigestInfo,
            serialNumber        Integer,
            responseTime        DVCSTime,
            dvStatus            [0] PKIStatusInfo OPTIONAL,
            policy              [1] PolicyInformation OPTIONAL,
            reqSignature        [2] SignerInfos  OPTIONAL,
            certs               [3] SEQUENCE SIZE (1..MAX) OF
                                    TargetEtcChain OPTIONAL,
            extensions          Extensions OPTIONAL }
        
   DVCSCertInfo::= SEQUENCE  {
            version             Integer DEFAULT 1 ,
            dvReqInfo           DVCSRequestInformation,
            messageImprint      DigestInfo,
            serialNumber        Integer,
            responseTime        DVCSTime,
            dvStatus            [0] PKIStatusInfo OPTIONAL,
            policy              [1] PolicyInformation OPTIONAL,
            reqSignature        [2] SignerInfos  OPTIONAL,
            certs               [3] SEQUENCE SIZE (1..MAX) OF
                                    TargetEtcChain OPTIONAL,
            extensions          Extensions OPTIONAL }
        

The DVCSCertInfo structure is returned as a result of successful execution of data validation service. It contains the results of the data validation, a reference to the original request, and other parameters. Please note that 'successful execution' does not necessarily mean that the validation itself was successful - a DVCSCertInfo may contain both the 'valid' and 'invalid' results.

成功执行数据验证服务后,将返回DVCSCertInfo结构。它包含数据验证的结果、对原始请求的引用以及其他参数。请注意,“成功执行”并不一定意味着验证本身成功-DVCSCertInfo可能包含“有效”和“无效”结果。

The DVCS creates a DVCSCertInfo as follows:

DVCS将创建一个DVCSCertInfo,如下所示:

- The 'version' field is never present in this version of the protocol.

- “版本”字段在此版本的协议中不存在。

The 'dvReqInfo' is essentially a copy of the 'requestInformation' field of the corresponding request. The DVCS MAY modify the fields 'dvcs', 'requester', 'dataLocations', and 'nonce' of the ReqInfo structure, e.g., if the request was processed by a chain of DVCS, if the request needs to indicate DVCS, or to indicate where to find a copy of the data from a 'vpd' request. The only modification allowed to a 'nonce' is the inclusion of a new field if it was not present, or to concatenate other data to the end (right) of an existing value.

“dvReqInfo”本质上是相应请求的“requestInformation”字段的副本。DVC可修改ReqInfo结构的“DVC”、“请求者”、“数据位置”和“nonce”字段,例如,如果请求由DVC链处理,如果请求需要指示DVC,或指示从何处找到“vpd”请求中的数据副本。唯一允许对“nonce”进行的修改是在新字段不存在时包含该字段,或者将其他数据连接到现有值的末尾(右侧)。

- The 'DVCSCertInfo.messageImprint' field is computed from the 'data' field of the corresponding request as follows:

- “DVCSCertInfo.messageprint”字段根据相应请求的“数据”字段计算,如下所示:

For the 'certs' choice (the 'vpkc' service), the digest is computed over the DER encoded data value. For a 'message' choice (the 'vsd' and the 'vpd' services) the digest is computed over the value octets (not including tag and length octets) of the OCTET STRING. It is up to the DVCS to choose an appropriate digest algorithm.

对于“certs”选项(“vpkc”服务),根据DER编码的数据值计算摘要。对于“消息”选择(“vsd”和“vpd”服务),根据八位字节字符串的值八位字节(不包括标记和长度八位字节)计算摘要。由DVCS选择合适的摘要算法。

For a 'messageImprint' choice (the 'vcpd' service), the 'messageImprint' of the DVCSRequest is copied as is.

对于“messageImprint”选项(“vcpd”服务),DVCSRequest的“messageImprint”按原样复制。

- The 'DVCSCertInfo.serialNumber' field contains a unique identifier of the request.

- “DVCSCertInfo.serialNumber”字段包含请求的唯一标识符。

- The field 'responseTime' indicates a time value associated with the response. The value MAY be a locally generated one, or a signed TimeStampToken (TST) or DVC obtained from an external service. Before using a value obtained from an external service, the DVCS must validate it according the rules of the external service.

- 字段“responseTime”表示与响应关联的时间值。该值可以是本地生成的值,或者是从外部服务获得的签名时间戳令牌(TST)或DVC。在使用从外部服务获得的值之前,DVCS必须根据外部服务的规则对其进行验证。

- The field 'DVCSCertInfo.dvStatus' reflects a collective result of the validation.

- 字段“DVCSCertInfo.dvStatus”反映了验证的集体结果。

If the field is missing, it is an equivalent of the SUCCESS status.

如果缺少该字段,则该字段相当于成功状态。

For a vkpc, if the status field is present and set to SUCCESS, it indicates that all certificates were successfully validated. If it is present and set to FAILED, it indicates that all or some of the certificates failed validation, and the specific status of the 'certs' should be investigated, at least one of the elements of the 'certs' TargetEtcChain structures MUST have a failure status.

对于vkpc,如果status字段存在并设置为SUCCESS,则表示所有证书都已成功验证。如果存在并设置为失败,则表示所有或部分证书未通过验证,并且应调查“certs”的特定状态,“certs”TargetChain结构的至少一个元素必须具有失败状态。

If the field 'dvStatus' does not indicate success ('granted' or 'granted with mods') the element 'failInfo' MAY indicate the reason for the failure. Note that the field 'certs' MAY contain additional information about verification failures.

如果字段“dvStatus”不表示成功(“已授予”或“已授予mods”),则元素“failInfo”可能表示失败的原因。请注意,“证书”字段可能包含有关验证失败的其他信息。

A failure of the verification of one of the signatures does not necessarily result in failing to validate a signed document. For example, as long as a sufficient number of signature was successfully verified, a DVC with status 'grantedWithMods' may be produced. A DVC with status 'granted' MUST only be produced if all signatures verified successfully.

其中一个签名的验证失败并不一定导致无法验证已签名的文档。例如,只要成功验证了足够数量的签名,就可以生成状态为“grantedWithMods”的DVC。只有在成功验证所有签名的情况下,才能生成状态为“已授予”的DVC。

The field MUST be present, and the status must be set to WAITING, if no final response can be immediately available. It is assumed that the DVCS provides an additional final status some time later. The details of the necessary procedures are part of the DVCS policy.

如果没有立即可用的最终响应,则该字段必须存在,并且状态必须设置为等待。假设DVCS在一段时间后提供附加的最终状态。必要程序的细节是DVCS政策的一部分。

In case of failure, the requester can further investigate the cause of the failure, by looking into the TargetEtcChain fields. 'CertEtctoken.pkistatus' fields will indicate which item(s) has failed or succeeded the validation and for what reason.

如果出现故障,请求者可以通过查看TargetTCChain字段进一步调查故障原因。”CertEtctoken.pkistatus'字段将指示哪些项验证失败或成功,以及原因。

- The 'DVCSCertInfo.policy' field indicates the policy under which the DVCS operates.

- “DVCSCertInfo.policy”字段表示DVCS运行所依据的策略。

- If present, 'DVCSCertInfo.reqSignature' MUST be the same value as the signerInfos field of the corresponding request. It is a policy decision whether to include this field.

- 如果存在,“DVCSCertInfo.reqSignature”必须与相应请求的signerInfos字段的值相同。是否包含此字段是一项政策决定。

- The 'DVCSCertInfo.certs' field contains the results of the verifications made by the DVCS. For the cpkc service, each element contains a copy of a corresponding field of the request with the selected subset in the targetAndChain subfield and the results of the verifications, and additional certificates or certificate references, e.g., from certification authorities or as described in appendix C.3. For a vsd service, each element contains the result of the validation of one signature of the signed document to be validated.

- “DVCSCertInfo.certs”字段包含DVCS进行的验证结果。对于cpkc服务,每个元素都包含一份请求对应字段的副本,其中包含targetAndChain子字段中的选定子集、验证结果以及其他证书或证书引用,例如来自认证机构或附录C.3中所述的证书或证书引用。对于vsd服务,每个元素都包含要验证的已签名文档的一个签名的验证结果。

In case of a global status of WAITING, the DVCS MAY choose to return an individual status of waiting in some of the 'certs' field, or not to return such a TargetEtcChain at all.

在全局等待状态的情况下,DVCS可选择在某些“证书”字段中返回单个等待状态,或根本不返回此类TargetTCChain。

The 'acceptablePolicySet' sequence indicates the policies and mappings that were processed during X.509 public key certificate path validation. PolicyMappingsSyntax is defined in [RFC2459].

“acceptablePolicySet”序列表示在X.509公钥证书路径验证期间处理的策略和映射。PolicyMappingsSyntax在[RFC2459]中定义。

- The 'extensions' field MAY be used to return additional information to the client. Extensions MAY be marked critical or not in order to indicate whether the client MUST understand them. This document does not define extensions.

- “扩展”字段可用于向客户端返回附加信息。扩展可能被标记为关键或非关键,以表明客户是否必须理解它们。本文档未定义扩展。

9.2. DVCS Error Notification
9.2. DVCS错误通知

A DVCS Error Notification is a CMS signedData object containing a DVCSResponse with a 'dvErrorNote' choice.

DVCS错误通知是一个CMS signedData对象,包含带有“dvErrorNote”选项的DVCSResponse。

   DVCSErrorNotice ::= SEQUENCE {
       transactionStatus           PKIStatusInfo ,
       transactionIdentifier       GeneralName OPTIONAL }
        
   DVCSErrorNotice ::= SEQUENCE {
       transactionStatus           PKIStatusInfo ,
       transactionIdentifier       GeneralName OPTIONAL }
        

The PKIStatusInfo is defined in [RFC2511]. For the purposes of communicating the DVCSErrorNotice, the following subset of PKIFailureInfo values is used:

PKI状态信息在[RFC2511]中定义。为了传达DVCSErrorNotice,使用了以下PKIFailureInfo值子集:

   PKIFailureInfo ::= BITSTRING  {
        
   PKIFailureInfo ::= BITSTRING  {
        
        badRequest       (2),
        -- transaction not permitted or supported
        badTime          (3),
        -- messageTime was not sufficiently close to the system time,
        -- as defined by local policy
        badDataFormat    (5),
        -- the data submitted has the wrong format
        wrongAuthority   (6),
        -- the DVCS indicated in the request is different from the
        -- one creating the response token
        incorrectData    (7)
        --the requester's data (i.e., signature) is incorrect )
        
        badRequest       (2),
        -- transaction not permitted or supported
        badTime          (3),
        -- messageTime was not sufficiently close to the system time,
        -- as defined by local policy
        badDataFormat    (5),
        -- the data submitted has the wrong format
        wrongAuthority   (6),
        -- the DVCS indicated in the request is different from the
        -- one creating the response token
        incorrectData    (7)
        --the requester's data (i.e., signature) is incorrect )
        

In the DVCSErrorNotice, the PKIStatus field of the PKIStatusInfo must be set to REJECTED.

在DVCSErrorNotice中,PKIStatusInfo的PKIStatus字段必须设置为REJECTED。

The 'statusString' field of PKIStatusInfo can be used to accommodate extra text, such as a reason for the failure, for example "I have gone out of service". The DVCS initializes the 'DVCSErrorNotice.transactionIdentifier' with a copy of the 'DVCSRequest.transactionIdentifier' field of the corresponding request.

PKIStatusInfo的“statusString”字段可用于容纳额外文本,例如故障原因,例如“我已停止服务”。DVCS使用相应请求的“DVCSRequest.transactionIdentifier”字段的副本初始化“DVCSErrorNotice.transactionIdentifier”。

In certain circumstances, a DVCS may not be able to produce a valid response to a request (for example, if it is unable to compute signatures for a period of time). In these situations the DVCS MAY create a response with an DVCSErrorNotice but no signature.

在某些情况下,DVCS可能无法生成对请求的有效响应(例如,如果它在一段时间内无法计算签名)。在这些情况下,DVCS可能会创建带有DVCSErrorNotice但没有签名的响应。

DVCS clients SHOULD NOT trust unsigned responses. A DVCS client MAY trust unsigned responses, if the communication channel provides for server authentication (e.g., by services defined by TLS [RFC2246]).

DVCS客户端不应信任未签名的响应。如果通信信道提供服务器身份验证(例如,通过TLS[RFC2246]定义的服务),则DVCS客户端可以信任未签名的响应。

10. Transports
10. 运输

There is no mandatory transport mechanism in this document. All mechanisms are optional. Two examples of transport protocols are given which allow online exchange of request and a response, and asynchronous communication between a client and a DVCS.

本文件中没有强制传输机制。所有机制都是可选的。给出了两个传输协议示例,它们允许在线交换请求和响应,以及客户端和DVCS之间的异步通信。

A DVCS MAY use a combination of protocols, for example in order to return additional DVCs.

DVCS可以使用协议的组合,例如为了返回额外的DVCS。

10.1 DVCS Protocol via HTTP or HTTPS
10.1 通过HTTP或HTTPS的DVCS协议

This subsection specifies a means for conveying ASN.1-encoded messages for the DVCS protocol exchanges via the HyperText Transfer Protocol.

本小节规定了通过超文本传输协议为DVCS协议交换传输ASN.1编码消息的方法。

The DER encoded DVCS requests and responses are encapsulated using a simple MIME object with Content-Type application/dvcs (and with the default binary encoding).

DER编码的DVCS请求和响应使用内容类型为application/DVCS的简单MIME对象进行封装(并使用默认的二进制编码)。

This MIME object can be sent and received using common HTTP or HTTPS processing engines over WWW links and provides a simple client-server transport for DVCS messages.

此MIME对象可以使用通用HTTP或HTTPS处理引擎通过WWW链接发送和接收,并为DVCS消息提供简单的客户机-服务器传输。

10.2 DVCS Protocol Using Email
10.2 使用电子邮件的DVCS协议

This section specifies a means for conveying ASN.1-encoded messages for the protocol exchanges described in Section 8 via Internet mail.

本节规定了通过互联网邮件为第8节所述协议交换传输ASN.1编码消息的方法。

The DER encoded DVCS requests and responses are encapsulated using a simple MIME object with Content-Type application/dvcs with an appropriate Content-Transfer-Encoding.

DER编码的DVCS请求和响应使用一个简单的MIME对象进行封装,该对象具有适当的内容传输编码的内容类型application/DVCS。

This MIME object can be sent and received using MIME processing engines and provides a simple Internet mail transport for DVCS messages.

可以使用MIME处理引擎发送和接收此MIME对象,并为DVCS消息提供简单的Internet邮件传输。

In order to be able to associate a possible error response with a request, the requester SHOULD use the field 'transactionIdentifier'. The requester SHOULD not make any assumption about the usage of message header fields by the responding service, in particular the usage of fields like Subject, Message-ID or References.

为了能够将可能的错误响应与请求相关联,请求者应该使用“transactionIdentifier”字段。请求者不应该对响应服务对消息头字段的使用做出任何假设,特别是对主题、消息ID或引用等字段的使用。

11. Security Considerations
11. 安全考虑

This entire chapter discusses security considerations.

本章将讨论安全注意事项。

When designing a data validation and certification service, the following considerations have been identified that have an impact upon the validity or "trust" in the data validation certificate.

在设计数据验证和认证服务时,已经确定了对数据验证证书的有效性或“信任”有影响的以下考虑因素。

It is imperative that keys used to sign DVCs are guarded with proper security and controls in order to minimize the possibility of compromise. Nevertheless, in case the private key does become compromised, an audit trail of all the DVC generated by the DVCS SHOULD be kept as a means to help discriminate between genuine and false DVCs. A DVCS MAY provide for a vsd service to validate DVCs created by this DVCS or another one solely based on the audit trail.

必须对用于签署DVC的密钥进行适当的安全保护和控制,以最大限度地减少泄露的可能性。然而,如果私钥确实被泄露,则应保留DVC生成的所有DVC的审计跟踪,以帮助区分真假DVC。DVCS可提供vsd服务,以验证由该DVCS或仅基于审计跟踪的另一DVCS创建的DVCS。

When confidentiality and server authentication is required, requests and responses MAY be protected using appropriate mechanisms (e.g., CMS encapsulation [RFC 2630] or TLS [RFC2246]).

当需要保密性和服务器身份验证时,可以使用适当的机制(例如CMS封装[RFC 2630]或TLS[RFC2246])保护请求和响应。

Server authentication is highly recommended for the vsd and cpd service.

强烈建议vsd和cpd服务使用服务器身份验证。

Client identification and authentication MAY use services defined by TLS [RFC2246]) instead of, or in addition to, using a CMS format providing authentication.

客户机标识和身份验证可以使用TLS[RFC2246]定义的服务,而不是使用提供身份验证的CMS格式,或者除此之外使用提供身份验证的CMS格式。

12. Patent Information
12. 专利信息

The following United States Patents related to data validation and certification services, listed in chronological order, are known by the authors to exist at this time. This may not be an exhaustive list. Other patents may exist or be issued at any time. Implementers of the DVCS protocol and applications using the protocol SHOULD perform their own patent search and determine whether or not any encumberences exist on their implementation.

以下与数据验证和认证服务相关的美国专利,按时间顺序列出,作者已知此时存在。这可能不是一份详尽的清单。其他专利可能存在或随时发布。DVCS协议的实施者和使用该协议的应用程序应执行自己的专利搜索,并确定其实施是否存在任何产权负担。

# 4,309,569 Method of Providing Digital Signatures (issued) January 5, 1982 (inventor) Ralph C. Merkle (assignee) The Board of Trustees of the Leland Stanford Junior University

#4309569提供数字签名的方法(发布)1982年1月5日(发明人)拉尔夫·C·梅克尔(受让人)利兰斯坦福初级大学董事会

# 5,001,752 Public/Key Date-Time Notary Facility (issued) March 19, 1991 (inventor) Addison M. Fischer

#5001752公共/关键日期时间公证机构(发行)1991年3月19日(发明人)Addison M.Fischer

# 5,022,080 Electronic Notary (issued) June 4, 1991 (inventors) Robert T. Durst, Kevin D. Hunter

#5022080电子公证人(签发)1991年6月4日(发明人)罗伯特·T·杜斯特,凯文·D·亨特

# 5,136,643 Public/Key Date-Time Notary Facility (issued) August 4, 1992 (inventor) Addison M. Fischer (Note: This is a continuation of patent # 5,001,752.)

#5136643公共/关键日期时间公证机构(发布于1992年8月4日)(发明人)Addison M.Fischer(注:这是专利#5001752的延续。)

# 5,136,646 Digital Document Time-Stamping with Catenate Certificate (issued) August 4, 1992 (inventors) Stuart A. Haber, Wakefield S. Stornetta Jr. (assignee) Bell Communications Research, Inc.,

#5136646数字文件时间戳,带连系证书(已颁发)1992年8月4日(发明人)斯图尔特A.哈伯,韦克菲尔德S.斯托内塔Jr.(受让人)贝尔通信研究公司。,

# 5,136,647 Method for Secure Time-Stamping of Digital Documents (issued) August 4, 1992 (inventors) Stuart A. Haber, Wakefield S. Stornetta Jr. (assignee) Bell Communications Research, Inc.,

#5136647数字文件安全时间戳方法(已发布)1992年8月4日(发明人)Stuart A.Haber,Wakefield S.Stornetta Jr.(受让人)贝尔通信研究公司。,

# 5,373,561 Method of Extending the Validity of a Cryptographic Certificate (issued) December 13, 1994 (inventors) Stuart A. Haber, Wakefield S. Stornetta Jr. (assignee) Bell Communications Research, Inc.,

#5373561延长加密证书有效期的方法(颁发于1994年12月13日)(发明人)Stuart a.Haber,Wakefield S.Stornetta Jr.(受让人)贝尔通信研究公司。,

# 5,422,95 Personal Date/Time Notary Device (issued) June 6, 1995 (inventor) Addison M. Fischer

#5422,95个人日期/时间公证装置(已发行)1995年6月6日(发明人)Addison M.Fischer

# 5,781,629 Digital Document Authentication System (issued) July 14, 1998 (inventor) Stuart A. Haber, Wakefield S. Stornetta Jr. (assignee) Surety Technologies, Inc.,

#5781629数字文档认证系统(发布于1998年7月14日)(发明人)Stuart A.Haber,Wakefield S.Stornetta Jr.(受让人)Surety Technologies,Inc。,

13. References
13. 工具书类

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2510] Adams, C. and S. Farrell, "Internet X.509 Public Key Infrastructure, Certificate Management Protocols", RFC 2510, March 1999.

[RFC2510]Adams,C.和S.Farrell,“互联网X.509公钥基础设施,证书管理协议”,RFC25101999年3月。

[RFC2459] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet X.509 Public Key Infrastructure, Certificate and CRL Profile", RFC 2459, January 1999.

[RFC2459]Housley,R.,Ford,W.,Polk,W.和D.Solo,“互联网X.509公钥基础设施,证书和CRL配置文件”,RFC 2459,1999年1月。

[RFC2630] Housley, R., "Cryptographic Message Syntax", RFC 2630, June 1999.

[RFC2630]Housley,R.,“加密消息语法”,RFC2630,1999年6月。

[ISONR] ISO/IEC 10181-5: Security Frameworks in Open Systems. Non-Repudiation Framework.

[ISONR]ISO/IEC 10181-5:开放系统中的安全框架。不可否认框架。

[RFC2119] Bradner, S., "Key works for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于指示需求水平的关键工程”,BCP 14,RFC 2119,1997年3月。

[RFC2511] Myers, M., Adams, C., Solo, D. and D. Kemp, "Internet X.509 Certificate Request Message Format", RFC 2511, March 1999.

[RFC2511]迈尔斯,M.,亚当斯,C.,索洛,D.和D.肯普,“互联网X.509证书请求消息格式”,RFC25111999年3月。

[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol, Version 1.0", RFC 2246, January 1999.

[RFC2246]Dierks,T.和C.Allen,“TLS协议,版本1.0”,RFC2246,1999年1月。

[RFC2634] Hoffman P., "Enhanced Security Services for S/MIME", RFC 2634, June 1999.

[RFC2634]Hoffman P.,“S/MIME的增强安全服务”,RFC 2634,1999年6月。

[RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S. and C. Adams, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol", RFC 2560, June 1999.

[RFC2560]Myers,M.,Ankney,R.,Malpani,A.,Galperin,S.和C.Adams,“X.509互联网公钥基础设施在线证书状态协议”,RFC 25601999年6月。

14. Authors' Addresses
14. 作者地址

Carlisle Adams Entrust Technologies 1000 Innovation Drive Ottawa, Ontario K2K 3E7 CANADA

加拿大安大略省渥太华市卡莱尔·亚当斯委托技术1000创新大道K2K 3E7

   EMail: cadams@entrust.com
        
   EMail: cadams@entrust.com
        

Michael Zolotarev Baltimore Technologies Pty Limited 5th Floor, 1 James Place North Sydney, NSW 2060 AUSTRALIA

澳大利亚新南威尔士州北悉尼詹姆斯广场1号5楼Michael Zolotarev Baltimore Technologies Pty Limited 2060

   EMail: mzolotarev@baltimore.com
        
   EMail: mzolotarev@baltimore.com
        

Peter Sylvester EdelWeb SA - Groupe ON-X Consulting 15, Quai de Dion Bouton F-92816 Puteaux Cedex FRANCE

Peter Sylvester EdelWeb SA-Groupe ON-X Consulting 15,法国布顿码头F-92816 Puteaux Cedex

   EMail: peter.sylvester@edelweb.fr
        
   EMail: peter.sylvester@edelweb.fr
        

Robert Zuccherato Entrust Technologies 1000 Innovation Drive Ottawa, Ontario K2K 3E7 CANADA

Robert Zuccherato委托技术1000创新驱动加拿大安大略省渥太华K2K 3E7

   EMail: robert.zuccherato@entrust.com
        
   EMail: robert.zuccherato@entrust.com
        

APPENDIX A - PKCS #9 Attribute

附录A-PKCS#9属性

We define a PKCS #9 [PKCS9] attribute type. The attribute type has ASN.1 type SignedData and contains a data validation certificate.

我们定义了一个PKCS#9[PKCS9]属性类型。属性类型具有ASN.1类型SignedData并包含数据验证证书。

The object identifier id-aa-dvcs-dvc identifies the data validation certificate attribute type.

对象标识符id aa dvcs dvc标识数据验证证书属性类型。

   id-aa-dvcs-dvc OBJECT IDENTIFIER ::= {iso(1) member-body(2)
       us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) aa(2) 29}
        
   id-aa-dvcs-dvc OBJECT IDENTIFIER ::= {iso(1) member-body(2)
       us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) aa(2) 29}
        

The attribute may be used as an authenticated or unauthenticated attribute in CMS SignedData documents.

该属性可以用作CMS SignedData文档中的已验证或未验证属性。

APPENDIX B - Signed document validation.

附录B-签字文件验证。

We present some examples of a possible use of DVCS in the context of validation of signed documents.

我们给出了在验证签名文档时可能使用DVCS的一些示例。

B.1 Signed document validation
B.1签名文件验证

The example covers the case where a DVCS is used by a signer to obtain a proof that a document's structure, including one or more attached signatures, is/was correct, after the document was signed.

该示例涵盖了签名者使用DVCS来获得文档结构(包括一个或多个附加签名)在文档签名后正确性的证明的情况。

The DVC can be produced either by a DVCS that is trusted by the signer, or by a DVCS that is trusted by an intended verifier of the document.

DVC可以由签名者信任的DVCS生成,也可以由文档的预期验证者信任的DVCS生成。

The signer uses the obtained DVC as an evidence that its intentions were good and it produced a signed document using the environment(keys, algorithms, etc) that was known to be OK.

签名者使用获得的DVC作为其意图良好的证据,并使用已知的正常环境(密钥、算法等)生成签名文档。

It produces a stand-alone document that can be used to extend the life of a signature. This example assumes that we have total trust in the Data Validation and Certification Server.

它生成一个可用于延长签名寿命的独立文档。本例假设我们完全信任数据验证和认证服务器。

Signature algorithms and keys have a finite lifetime. Therefore, signatures have a finite lifetime. The Data Certification Server can be used to extend the lifetime of a signature.

签名算法和密钥的生命周期是有限的。因此,签名的生命周期是有限的。数据认证服务器可用于延长签名的生存期。

In order to extend the lifetime of a signature in this way, the following technique can be used:

为了以这种方式延长签名的生命周期,可以使用以下技术:

1) The signature needs to be certified:

1) 签名需要经过认证:

The signed message is presented to the Data Validation and Certification Server in a 'vsd' service request.

签名的消息在“vsd”服务请求中提供给数据验证和认证服务器。

The DVCS verifies that the signature and certificates are valid at that time by checking expiry dates, status information, or DVCs, and returns a DVC.

DVCS通过检查到期日期、状态信息或DVCS来验证签名和证书当时是否有效,并返回DVC。

2) The DVC SHOULD be verified.

2) 应验证DVC。

The signature of the Data Validation and Certification Server in data certification token SHALL be verified using the Data Certification Server's valid verification key.

数据认证令牌中数据验证和认证服务器的签名应使用数据认证服务器的有效验证密钥进行验证。

A signer's signing key (and therefore, its signature) is only valid until some specified time T1. The DVCS's signing key (and therefore, its signature) is valid until some specified time T2 that is (usually) after time T1. Without certification, the signer's signature would only be valid until time T1. With certification, the signer's signature remains valid until time T2, regardless of subsequent revocation or expiry at time T1.

签名者的签名密钥(因此,其签名)仅在指定时间T1之前有效。DVCS的签名密钥(因此,它的签名)在时间T1之后的某个指定时间T2之前是有效的。如果没有认证,签名人的签名将只在时间T1之前有效。通过认证,签名人的签名在时间T2之前保持有效,无论随后在时间T1被撤销或到期。

If the signature of the DVCS is valid, the trust we have in the DVCS allows us to conclude that the original signature on the data was valid at the time included in the DVC.

如果DVCS的签名有效,我们对DVCS的信任允许我们得出结论,即数据上的原始签名在DVC中包含的时间是有效的。

The DVCS signing key MUST be of a sufficient length to allow for a sufficiently long lifetime. Even if this is done, the key will have a finite lifetime. Since data validation certificates are just another type of signed documents, they can be validated using (another) DVCS.

DVCS签名密钥必须具有足够的长度,以允许足够长的生命周期。即使这样做,密钥也将有一个有限的生命周期。由于数据验证证书只是另一种类型的签名文档,因此可以使用(另一种)DVCS对其进行验证。

APPENDIX C - Verifying the Status of a Public Key Certificate

附录C-验证公钥证书的状态

We now present three examples of how to produce a data validation certificate that can be used to assert that a public key certificate is valid, trusted, and can be used for a particular purpose.

现在,我们提供三个示例,说明如何生成数据验证证书,该证书可用于断言公钥证书有效、可信,并且可用于特定目的。

A client wants to use a given public key certificate either to use it to verify a signature on a document or to use it for document encryption.

客户端希望使用给定的公钥证书来验证文档上的签名或用于文档加密。

A DVCS MUST have access to current information regarding public certificate status, it can therefore be used to verify the revocation status of a certificate at the current time.

DVCS必须能够访问有关公共证书状态的当前信息,因此可以使用它来验证当前证书的吊销状态。

The following technique can be used:

可以使用以下技术:

A) The public key certificate needs to be validated.

A) 需要验证公钥证书。

The certificate is presented to the Data Certification Server using a 'vpkc' service.

使用“vpkc”服务将证书提供给数据证书服务器。

The Data Validation and Certification Server verifies that the public key certificate is valid and that it hasn't been revoked and then returns a data validation certificate.

数据验证和证书服务器验证公钥证书是否有效,以及该证书是否未被吊销,然后返回数据验证证书。

B) The data validation certificate MUST be verified.

B) The data validation certificate MUST be verified.translate error, please retry

The signature of the Data Certification Server in the data certification token SHALL be verified using the Data Validation and Certification Server's valid certificate.

数据认证令牌中数据认证服务器的签名应使用数据验证和认证服务器的有效证书进行验证。

C) The public key certificate is used:

C) 公钥证书用于:

C.1) A clients's own public key certificate (i.e., the corresponding private key) can be used to add a signature to a document. The signing certificate and the data validation certificate can be added as signed attributes to the signature.

C.1)客户自己的公钥证书(即相应的私钥)可用于向文档添加签名。签名证书和数据验证证书可以作为已签名属性添加到签名中。

A data validation certificate can now be used during the validation signatures using the key contained in the public key certificate. This service provided by the DVCS can be thought of as a supplement to the usual method of checking revocation status.

现在可以使用公钥证书中包含的密钥在验证签名期间使用数据验证证书。DVCS提供的这项服务可以看作是对检查撤销状态的常用方法的补充。

In other words, signature validation at a later time does not necessarily require access to the revocation status of the user's signing certificate, access to a DVCS service and validation of the DVC is sufficient to verify a signature. Note that the DVC does not tell when the signature had been created, it only indicates when the signing certificate was valid.

换句话说,稍后的签名验证不一定需要访问用户的签名证书的撤销状态,访问DVCS服务和DVC验证就足以验证签名。请注意,DVC不会告诉您签名是何时创建的,它只指示签名证书何时有效。

C.2) A public key certificate for key exchange can be used after having obtained a data validation certification certificate to encrypt data. The DVC can be stored with the data and/or stored by the creator of the encrypted document.

C.2)在获得数据验证证书后,可以使用密钥交换的公钥证书对数据进行加密。DVC可以与数据一起存储和/或由加密文档的创建者存储。

If an intended recipient of the document claims that the creator did not use an appropriate encryption key, the DVC (obtained by a recipient's DVCS) can be used as evidence that the recipient's DVCS has authorized the usage of the public key.

如果文档的预期接收者声称创建者未使用适当的加密密钥,则DVC(由接收者的DVC获得)可作为接收者的DVC已授权使用公钥的证据。

C.3) The procedure described in the previous paragraph can be enhanced to provide domain encryption in several ways. Organizations require that encrypted documents need to be recoverable. One simple way is to always encrypt documents with additional recipients that act as 'domain encryption centers' or 'recovery centers'. This is not a technically difficult

C.3)可以通过多种方式增强上一段中描述的程序,以提供域加密。组织要求加密文档必须是可恢复的。一种简单的方法是始终使用充当“域加密中心”或“恢复中心”的其他收件人对文档进行加密。这在技术上并不困难

problem, but may require complicated and difficult interactions with the end user, in particular when the document's recipients are in several different organizations.

问题,但可能需要与最终用户进行复杂而困难的交互,尤其是当文档的收件人位于多个不同的组织中时。

One possible solution consists of adding additional certificates to the dvc that validates the usage of a particular public key certificate used for encryption. In an environment of several organizations, one of the possible procedures may be:

一种可能的解决方案是向dvc添加额外的证书,以验证用于加密的特定公钥证书的使用情况。在多个组织的环境中,可能的程序之一是:

The client asks its local dvcs to validate the public key certificate. The dvcs forwards the request to a dvcs of a remote organization. The remotes organization's dvcs verifies the certificate and provides a dvc assertion validating the certificate. It adds additional certificates usable for key exchange to the certEtcChain structure indicating additional required recipients. The local dvc creates a dvc containing the dvc of the remote dvcs. It may add additional certificates or references to the dvc. The clients use all validated certificates to be usable for key exchange to enhance its list of recipients.

客户端要求其本地DVC验证公钥证书。dvcs将请求转发给远程组织的dvcs。远程组织的dvc验证证书,并提供验证证书的dvc断言。它将可用于密钥交换的其他证书添加到certEtcChain结构中,以指示所需的其他收件人。本地dvc创建一个包含远程dvc的dvc的dvc。它可以向dvc添加额外的证书或引用。客户端使用所有已验证的证书来进行密钥交换,以增强其收件人列表。

In the local dvcs may as well use local information about the remote organization's need for additional recipients.

在本地DVC中,还可以使用有关远程组织对其他收件人的需求的本地信息。

Appendix D - MIME Registration

附录D-MIME注册

   To: ietf-types@iana.org Subject: Registration of MIME media type
   application/timestamp
        
   To: ietf-types@iana.org Subject: Registration of MIME media type
   application/timestamp
        

MIME media type name: application

MIME媒体类型名称:应用程序

MIME subtype name: dvcs

MIME子类型名称:dvcs

Required parameters: None

所需参数:无

Optional parameters: None

可选参数:无

Encoding considerations: binary or Base64

编码注意事项:二进制或Base64

Security considerations: Carries a request for a data validation and certification service and the response. A request may be cryptographically signed. The response will be cryptographically signed.

安全注意事项:包含对数据验证和认证服务的请求和响应。请求可以加密签名。响应将以加密方式签名。

Interoperability considerations: None

互操作性注意事项:无

Published specification: RFC 3029 on Data Validation and Certification Server Protocols

发布的规范:关于数据验证和认证服务器协议的RFC 3029

Applications which use this media type: Data Validation and Certification Servers and Clients

使用此媒体类型的应用程序:数据验证和认证服务器和客户端

Additional information:

其他信息:

     Magic number(s): None
     File extension(s): .dvc
     Macintosh File Type Code(s): none
        
     Magic number(s): None
     File extension(s): .dvc
     Macintosh File Type Code(s): none
        
   Person & email address to contact for further information: Peter
   Sylvester <peter.sylvester@edelweb.fr>
        
   Person & email address to contact for further information: Peter
   Sylvester <peter.sylvester@edelweb.fr>
        

Intended usage: COMMON

预期用途:普通

   Author/Change controller: Peter Sylvester
   <peter.sylvester@edelweb.fr>
        
   Author/Change controller: Peter Sylvester
   <peter.sylvester@edelweb.fr>
        

Appendix E - ASN.1 Module using 1988 Syntax

附录E-使用1988语法的ASN.1模块

PKIXDVCS {iso(1) identified-organization(3) dod(6) internet(1)
   security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-dvcs(15)}
        
PKIXDVCS {iso(1) identified-organization(3) dod(6) internet(1)
   security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-dvcs(15)}
        
DEFINITIONS IMPLICIT TAGS ::=
        
DEFINITIONS IMPLICIT TAGS ::=
        

BEGIN

开始

-- EXPORTS ALL --

--全部出口--

IMPORTS
  Extensions, AlgorithmIdentifier
  FROM PKIX1Explicit88 {iso(1) identified-organization(3)
  dod(6) internet(1) security(5) mechanisms(5) pkix(7)
  id-mod(0) id-pkix1-explicit-88(1)}
        
IMPORTS
  Extensions, AlgorithmIdentifier
  FROM PKIX1Explicit88 {iso(1) identified-organization(3)
  dod(6) internet(1) security(5) mechanisms(5) pkix(7)
  id-mod(0) id-pkix1-explicit-88(1)}
        
  GeneralName, PolicyInformation
  FROM PKIX1Implicit88 {iso(1) identified-organization(3)
  dod(6) internet(1) security(5) mechanisms(5) pkix(7)
  id-mod(0) id-pkix1-implicit-88(2)}
        
  GeneralName, PolicyInformation
  FROM PKIX1Implicit88 {iso(1) identified-organization(3)
  dod(6) internet(1) security(5) mechanisms(5) pkix(7)
  id-mod(0) id-pkix1-implicit-88(2)}
        
  PKIStatusInfo, PKIStatusField FROM PKIXCMP {iso(1)
  identified-organization(3) dod(6) internet(1) security(5)
  mechanisms(5) pkix(7) id-mod(0)
  id-mod-cmp(9)}
        
  PKIStatusInfo, PKIStatusField FROM PKIXCMP {iso(1)
  identified-organization(3) dod(6) internet(1) security(5)
  mechanisms(5) pkix(7) id-mod(0)
  id-mod-cmp(9)}
        
  ContentInfo FROM CryptographicMessageSyntax {iso(1)
  member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
  smime(16) modules(0) cms(1)}
        
  ContentInfo FROM CryptographicMessageSyntax {iso(1)
  member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
  smime(16) modules(0) cms(1)}
        
  ESSCertID FROM ExtendedSecurityServices
  { iso(1) member-body(2) us(840) rsadsi(113549)
  pkcs(1) pkcs-9(9) smime(16) modules(0) ess(2) }
        
  ESSCertID FROM ExtendedSecurityServices
  { iso(1) member-body(2) us(840) rsadsi(113549)
  pkcs(1) pkcs-9(9) smime(16) modules(0) ess(2) }
        
  CertId, OCSPResponse, CertStatus
  FROM OCSP
  {iso(1) identified-organization(3)
  dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
  id-mod-ocsp(14)}
        
  CertId, OCSPResponse, CertStatus
  FROM OCSP
  {iso(1) identified-organization(3)
  dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
  id-mod-ocsp(14)}
        
  SMIMECapabilities FROM SecureMimeMessageV3
  { iso(1) member-body(2) us(840) rsadsi(113549)
   pkcs(1) pkcs-9(9) smime(16) modules(0) smime(4) }
        
  SMIMECapabilities FROM SecureMimeMessageV3
  { iso(1) member-body(2) us(840) rsadsi(113549)
   pkcs(1) pkcs-9(9) smime(16) modules(0) smime(4) }
        

;

;

-- Authority Information Access for DVCS

--DVCS的权限信息访问

id-ad-dvcs  OBJECT IDENTIFIER ::= {id-pkix id-ad(48) 4}
        
id-ad-dvcs  OBJECT IDENTIFIER ::= {id-pkix id-ad(48) 4}
        

-- Key Purpose for DVCS

--DVCS的主要用途

id-kp-dvcs  OBJECT IDENTIFIER ::= {id-pkix id-kp(3) 10}
        
id-kp-dvcs  OBJECT IDENTIFIER ::= {id-pkix id-kp(3) 10}
        

-- eContentType for a dvcs requests and responses

--dvcs请求和响应的eContentType

id-ct-DVCSRequestData  OBJECT IDENTIFIER ::= { id-smime ct(1) 7 }
id-ct-DVCSResponseData OBJECT IDENTIFIER ::= { id-smime ct(1) 8 }
        
id-ct-DVCSRequestData  OBJECT IDENTIFIER ::= { id-smime ct(1) 7 }
id-ct-DVCSResponseData OBJECT IDENTIFIER ::= { id-smime ct(1) 8 }
        

-- Data validation certificate attribute

--数据验证证书属性

id-aa-dvcs-dvc OBJECT IDENTIFIER ::= { id-smime aa(2) 29 }
        
id-aa-dvcs-dvc OBJECT IDENTIFIER ::= { id-smime aa(2) 29 }
        

-- using the following bases :

--使用以下基础:

id-pkix     OBJECT IDENTIFIER ::= {iso(1)
               identified-organization(3) dod(6)
               internet(1) security(5) mechanisms(5) pkix(7)}
        
id-pkix     OBJECT IDENTIFIER ::= {iso(1)
               identified-organization(3) dod(6)
               internet(1) security(5) mechanisms(5) pkix(7)}
        
id-smime    OBJECT IDENTIFIER ::= { iso(1) member-body(2)
               us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 16 }
        
id-smime    OBJECT IDENTIFIER ::= { iso(1) member-body(2)
               us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 16 }
        
Version ::= Integer
        
Version ::= Integer
        
DigestInfo ::= SEQUENCE {
    digestAlgorithm   DigestAlgorithmIdentifier,
    digest            Digest
}
        
DigestInfo ::= SEQUENCE {
    digestAlgorithm   DigestAlgorithmIdentifier,
    digest            Digest
}
        
Digest ::= OCTET STRING
        
Digest ::= OCTET STRING
        
Nonce ::= Integer
        
Nonce ::= Integer
        
DVCSTime ::= CHOICE  {
     genTime                      GeneralizedTime,
     timeStampToken               ContentInfo
}
TargetEtcChain ::= SEQUENCE {
     target                       CertEtcToken,
     chain                        SEQUENCE SIZE (1..MAX) OF
                                     CertEtcToken OPTIONAL,
     pathProcInput                [0] PathProcInput OPTIONAL
}
        
DVCSTime ::= CHOICE  {
     genTime                      GeneralizedTime,
     timeStampToken               ContentInfo
}
TargetEtcChain ::= SEQUENCE {
     target                       CertEtcToken,
     chain                        SEQUENCE SIZE (1..MAX) OF
                                     CertEtcToken OPTIONAL,
     pathProcInput                [0] PathProcInput OPTIONAL
}
        
PathProcInput ::= SEQUENCE {
     acceptablePolicySet          SEQUENCE SIZE (1..MAX) OF
                                     PolicyInformation,
     inhibitPolicyMapping         BOOLEAN DEFAULT FALSE,
     explicitPolicyReqd           BOOLEAN DEFAULT FALSE
}
        
PathProcInput ::= SEQUENCE {
     acceptablePolicySet          SEQUENCE SIZE (1..MAX) OF
                                     PolicyInformation,
     inhibitPolicyMapping         BOOLEAN DEFAULT FALSE,
     explicitPolicyReqd           BOOLEAN DEFAULT FALSE
}
        
CertEtcToken ::= CHOICE {
     certificate                  [0] IMPLICIT Certificate ,
     esscertid                    [1] ESSCertId ,
     pkistatus                    [2] IMPLICIT PKIStatusInfo ,
     assertion                    [3] ContentInfo ,
     crl                          [4] IMPLICIT CertificateList,
     ocspcertstatus               [5] IMPLICIT CertStatus,
     oscpcertid                   [6] IMPLICIT CertId ,
     oscpresponse                 [7] IMPLICIT OCSPResponse,
     capabilities                 [8] SMIMECapabilities,
     extension                    Extension
}
        
CertEtcToken ::= CHOICE {
     certificate                  [0] IMPLICIT Certificate ,
     esscertid                    [1] ESSCertId ,
     pkistatus                    [2] IMPLICIT PKIStatusInfo ,
     assertion                    [3] ContentInfo ,
     crl                          [4] IMPLICIT CertificateList,
     ocspcertstatus               [5] IMPLICIT CertStatus,
     oscpcertid                   [6] IMPLICIT CertId ,
     oscpresponse                 [7] IMPLICIT OCSPResponse,
     capabilities                 [8] SMIMECapabilities,
     extension                    Extension
}
        
DVCSRequestInformation ::= SEQUENCE  {
        version                      INTEGER DEFAULT 1 ,
        service                      ServiceType,
        nonce                        Nonce OPTIONAL,
        requestTime                  DVCSTime OPTIONAL,
        requester                    [0] GeneralNames OPTIONAL,
        requestPolicy                [1] PolicyInformation OPTIONAL,
        dvcs                         [2] GeneralNames OPTIONAL,
        dataLocations                [3] GeneralNames OPTIONAL,
        extensions                   [4] IMPLICIT Extensions OPTIONAL
}
        
DVCSRequestInformation ::= SEQUENCE  {
        version                      INTEGER DEFAULT 1 ,
        service                      ServiceType,
        nonce                        Nonce OPTIONAL,
        requestTime                  DVCSTime OPTIONAL,
        requester                    [0] GeneralNames OPTIONAL,
        requestPolicy                [1] PolicyInformation OPTIONAL,
        dvcs                         [2] GeneralNames OPTIONAL,
        dataLocations                [3] GeneralNames OPTIONAL,
        extensions                   [4] IMPLICIT Extensions OPTIONAL
}
        
ServiceType ::= ENUMERATED { cpd(1), vsd(2), cpkc(3), ccpd(4) }
        
ServiceType ::= ENUMERATED { cpd(1), vsd(2), cpkc(3), ccpd(4) }
        
DVCSRequest ::= SEQUENCE  {
    requestInformation         DVCSRequestInformation,
    data                       Data,
    transactionIdentifier      GeneralName OPTIONAL
}
        
DVCSRequest ::= SEQUENCE  {
    requestInformation         DVCSRequestInformation,
    data                       Data,
    transactionIdentifier      GeneralName OPTIONAL
}
        
Data ::= CHOICE {
      message           OCTET STRING ,
      messageImprint    DigestInfo,
      certs             SEQUENCE SIZE (1..MAX) OF
                            TargetEtcChain
}
        
Data ::= CHOICE {
      message           OCTET STRING ,
      messageImprint    DigestInfo,
      certs             SEQUENCE SIZE (1..MAX) OF
                            TargetEtcChain
}
        
DVCSResponse ::= CHOICE
{
    dvCertInfo         DVCSCertInfo ,
    dvErrorNote        [0] DVCSErrorNotice
}
        
DVCSResponse ::= CHOICE
{
    dvCertInfo         DVCSCertInfo ,
    dvErrorNote        [0] DVCSErrorNotice
}
        
DVCSCertInfo::= SEQUENCE  {
         version             Integer DEFAULT 1 ,
         dvReqInfo           DVCSRequestInformation,
         messageImprint      DigestInfo,
         serialNumber        Integer,
         responseTime        DVCSTime,
         dvStatus            [0] PKIStatusInfo OPTIONAL,
         policy              [1] PolicyInformation OPTIONAL,
         reqSignature        [2] SignerInfos  OPTIONAL,
         certs               [3] SEQUENCE SIZE (1..MAX) OF
                                 TargetEtcChain OPTIONAL,
         extensions          Extensions OPTIONAL
}
        
DVCSCertInfo::= SEQUENCE  {
         version             Integer DEFAULT 1 ,
         dvReqInfo           DVCSRequestInformation,
         messageImprint      DigestInfo,
         serialNumber        Integer,
         responseTime        DVCSTime,
         dvStatus            [0] PKIStatusInfo OPTIONAL,
         policy              [1] PolicyInformation OPTIONAL,
         reqSignature        [2] SignerInfos  OPTIONAL,
         certs               [3] SEQUENCE SIZE (1..MAX) OF
                                 TargetEtcChain OPTIONAL,
         extensions          Extensions OPTIONAL
}
        
DVCSErrorNotice ::= SEQUENCE {
    transactionStatus           PKIStatusInfo ,
    transactionIdentifier       GeneralName OPTIONAL
}
        
DVCSErrorNotice ::= SEQUENCE {
    transactionStatus           PKIStatusInfo ,
    transactionIdentifier       GeneralName OPTIONAL
}
        

END

终止

Appendix F - Examples

附录F-示例

This chapter contains an example of a request and a response of a 'Certify Claim of Possession of Data' transaction of the Clepsydre Demonstration Project sponsored by La Poste, France.

本章包含法国La Poste赞助的Clepsydre示范项目“证明拥有数据”交易的请求和响应示例。

The information has been formatted with a slightly modified version of Peter Gutmann's dumpasn1 program.

这些信息的格式使用了Peter Gutmann的dumpasn1程序的稍加修改的版本。

The response Data Validation Certificate contains the signing certificate.

响应数据验证证书包含签名证书。

The data that are time stamped is the binary of the client program used to make the request.

带有时间戳的数据是用于发出请求的客户端程序的二进制数据。

Request:

请求:

   0 30  582: SEQUENCE {
   4 06    9:  OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
            : . (PKCS #7)
  15 A0  567:  [0] {
  19 30  563: . SEQUENCE {
  23 02    1: .  INTEGER 3
  26 31   11: .  SET {
  28 30    9: . . SEQUENCE {
  30 06    5: . .  OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
  37 05    0: . .  NULL
            : . .  }
            : . . }
  39 30  153: .  SEQUENCE {
  42 06   11: . . OBJECT IDENTIFIER
            : . .  id-ct-DVCSRequestData (1 2 840 113549 1 9 16 1 7)
            : . .  (S/MIME Content Types (1 2 840 113549 1 9 16 1))
  55 A0  137: . . [0] {
  58 04  134: . .  OCTET STRING, encapsulates {
  61 30  131: . . .  SEQUENCE {
  64 30   96: . . . . SEQUENCE {
  66 0A    1: . . . .  ENUMERATED CCPD (4)
  69 A0   77: . . . .  [0] {
  71 A4   75: . . . . . [4] {
  73 30   73: . . . . .  SEQUENCE {
  75 31   11: . . . . . . SET {
  77 30    9: . . . . . .  SEQUENCE {
  79 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  countryName (2 5 4 6)
            : . . . . . . .  (X.520 id-at (2 5 4))
  84 13    2: . . . . . . . PrintableString 'FR'
            : . . . . . . . }
            : . . . . . .  }
  88 31   14: . . . . . . SET {
  90 30   12: . . . . . .  SEQUENCE {
  92 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  localityName (2 5 4 7)
            : . . . . . . .  (X.520 id-at (2 5 4))
  97 13    5: . . . . . . . PrintableString 'Paris'
            : . . . . . . . }
            : . . . . . .  }
        
   0 30  582: SEQUENCE {
   4 06    9:  OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
            : . (PKCS #7)
  15 A0  567:  [0] {
  19 30  563: . SEQUENCE {
  23 02    1: .  INTEGER 3
  26 31   11: .  SET {
  28 30    9: . . SEQUENCE {
  30 06    5: . .  OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
  37 05    0: . .  NULL
            : . .  }
            : . . }
  39 30  153: .  SEQUENCE {
  42 06   11: . . OBJECT IDENTIFIER
            : . .  id-ct-DVCSRequestData (1 2 840 113549 1 9 16 1 7)
            : . .  (S/MIME Content Types (1 2 840 113549 1 9 16 1))
  55 A0  137: . . [0] {
  58 04  134: . .  OCTET STRING, encapsulates {
  61 30  131: . . .  SEQUENCE {
  64 30   96: . . . . SEQUENCE {
  66 0A    1: . . . .  ENUMERATED CCPD (4)
  69 A0   77: . . . .  [0] {
  71 A4   75: . . . . . [4] {
  73 30   73: . . . . .  SEQUENCE {
  75 31   11: . . . . . . SET {
  77 30    9: . . . . . .  SEQUENCE {
  79 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  countryName (2 5 4 6)
            : . . . . . . .  (X.520 id-at (2 5 4))
  84 13    2: . . . . . . . PrintableString 'FR'
            : . . . . . . . }
            : . . . . . .  }
  88 31   14: . . . . . . SET {
  90 30   12: . . . . . .  SEQUENCE {
  92 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  localityName (2 5 4 7)
            : . . . . . . .  (X.520 id-at (2 5 4))
  97 13    5: . . . . . . . PrintableString 'Paris'
            : . . . . . . . }
            : . . . . . .  }
        
 104 31   16: . . . . . . SET {
 106 30   14: . . . . . .  SEQUENCE {
 108 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  organizationName (2 5 4 10)
            : . . . . . . .  (X.520 id-at (2 5 4))
 113 13    7: . . . . . . . PrintableString 'EdelWeb'
            : . . . . . . . }
            : . . . . . .  }
 122 31   24: . . . . . . SET {
 124 30   22: . . . . . .  SEQUENCE {
 126 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  commonName (2 5 4 3)
            : . . . . . . .  (X.520 id-at (2 5 4))
 131 13   15: . . . . . . . PrintableString 'Peter Sylvester'
            : . . . . . . . }
            : . . . . . .  }
            : . . . . . . }
            : . . . . .  }
            : . . . . . }
 148 A1   12: . . . .  [1] {
 150 06   10: . . . . . OBJECT IDENTIFIER '1 3 6 1 4 1 5309 1 2 1'
            : . . . . . }
            : . . . .  }
 162 30   31: . . . . SEQUENCE {
 164 30    7: . . . .  SEQUENCE {
 166 06    5: . . . . . OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
            : . . . . .  (OIW)
            : . . . . . }
 173 04   20: . . . .  OCTET STRING
            : . . . .  75 B6 85 AF 6F 89 46 7D E8 07 15 25 1E 45 97 8F
            : . . . .  CD 1F A5 66
            : . . . .  }
            : . . . . }
            : . . .  }
            : . .  }
            : . . }
 195 31  387: .  SET {
 199 30  383: . . SEQUENCE {
 203 02    1: . .  INTEGER 1
 206 30  124: . .  SEQUENCE {
 208 30  112: . . . SEQUENCE {
 210 31   11: . . .  SET {
 212 30    9: . . . . SEQUENCE {
 214 06    3: . . . .  OBJECT IDENTIFIER countryName (2 5 4 6)
            : . . . . . (X.520 id-at (2 5 4))
 219 13    2: . . . .  PrintableString 'FR'
            : . . . .  }
            : . . . . }
        
 104 31   16: . . . . . . SET {
 106 30   14: . . . . . .  SEQUENCE {
 108 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  organizationName (2 5 4 10)
            : . . . . . . .  (X.520 id-at (2 5 4))
 113 13    7: . . . . . . . PrintableString 'EdelWeb'
            : . . . . . . . }
            : . . . . . .  }
 122 31   24: . . . . . . SET {
 124 30   22: . . . . . .  SEQUENCE {
 126 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  commonName (2 5 4 3)
            : . . . . . . .  (X.520 id-at (2 5 4))
 131 13   15: . . . . . . . PrintableString 'Peter Sylvester'
            : . . . . . . . }
            : . . . . . .  }
            : . . . . . . }
            : . . . . .  }
            : . . . . . }
 148 A1   12: . . . .  [1] {
 150 06   10: . . . . . OBJECT IDENTIFIER '1 3 6 1 4 1 5309 1 2 1'
            : . . . . . }
            : . . . .  }
 162 30   31: . . . . SEQUENCE {
 164 30    7: . . . .  SEQUENCE {
 166 06    5: . . . . . OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
            : . . . . .  (OIW)
            : . . . . . }
 173 04   20: . . . .  OCTET STRING
            : . . . .  75 B6 85 AF 6F 89 46 7D E8 07 15 25 1E 45 97 8F
            : . . . .  CD 1F A5 66
            : . . . .  }
            : . . . . }
            : . . .  }
            : . .  }
            : . . }
 195 31  387: .  SET {
 199 30  383: . . SEQUENCE {
 203 02    1: . .  INTEGER 1
 206 30  124: . .  SEQUENCE {
 208 30  112: . . . SEQUENCE {
 210 31   11: . . .  SET {
 212 30    9: . . . . SEQUENCE {
 214 06    3: . . . .  OBJECT IDENTIFIER countryName (2 5 4 6)
            : . . . . . (X.520 id-at (2 5 4))
 219 13    2: . . . .  PrintableString 'FR'
            : . . . .  }
            : . . . . }
        
 223 31   21: . . .  SET {
 225 30   19: . . . . SEQUENCE {
 227 06    3: . . . .  OBJECT IDENTIFIER organizationName (2 5 4 10)
            : . . . . . (X.520 id-at (2 5 4))
 232 13   12: . . . .  PrintableString 'EdelWeb S.A.'
            : . . . .  }
            : . . . . }
 246 31   40: . . .  SET {
 248 30   38: . . . . SEQUENCE {
 250 06    3: . . . .  OBJECT IDENTIFIER
            : . . . . . organizationalUnitName (2 5 4 11)
            : . . . . . (X.520 id-at (2 5 4))
 255 13 31: . . . .  PrintableString 'Clepsydre Demonstration Service'
            : . . . .  }
            : . . . . }
 288 31   32: . . .  SET {
 290 30   30: . . . . SEQUENCE {
 292 06    3: . . . .  OBJECT IDENTIFIER commonName (2 5 4 3)
            : . . . . . (X.520 id-at (2 5 4))
 297 13   23: . . . .  PrintableString 'Time Stamping Authority'
            : . . . .  }
            : . . . . }
            : . . .  }
 322 02    8: . . . INTEGER
            : . . .  00 94 88 17 21 34 37 76
            : . . . }
 332 30    9: . .  SEQUENCE {
 334 06    5: . . . OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
            : . . .  (OIW)
 341 05    0: . . . NULL
            : . . . }
 343 A0   95: . .  [0] {
 345 30   26: . . . SEQUENCE {
 347 06    9: . . .  OBJECT IDENTIFIER
            : . . . . contentType (1 2 840 113549 1 9 3)
            : . . . . (PKCS #9 (1 2 840 113549 1 9))
 358 31   13: . . .  SET {
 360 06   11: . . . . OBJECT IDENTIFIER
            : . . . .  id-ct-dvcsrequest (1 2 840 113549 1 9 16 1 7)
            : . . . .  (S/MIME Content Types (1 2 840 113549 1 9 16 1))
            : . . . . }
            : . . .  }
 373 30   28: . . . SEQUENCE {
 375 06    9: . . .  OBJECT IDENTIFIER
            : . . . . signingTime (1 2 840 113549 1 9 5)
            : . . . . (PKCS #9 (1 2 840 113549 1 9))
 386 31   15: . . .  SET {
 388 17   13: . . . . UTCTime '000417171457Z'
        
 223 31   21: . . .  SET {
 225 30   19: . . . . SEQUENCE {
 227 06    3: . . . .  OBJECT IDENTIFIER organizationName (2 5 4 10)
            : . . . . . (X.520 id-at (2 5 4))
 232 13   12: . . . .  PrintableString 'EdelWeb S.A.'
            : . . . .  }
            : . . . . }
 246 31   40: . . .  SET {
 248 30   38: . . . . SEQUENCE {
 250 06    3: . . . .  OBJECT IDENTIFIER
            : . . . . . organizationalUnitName (2 5 4 11)
            : . . . . . (X.520 id-at (2 5 4))
 255 13 31: . . . .  PrintableString 'Clepsydre Demonstration Service'
            : . . . .  }
            : . . . . }
 288 31   32: . . .  SET {
 290 30   30: . . . . SEQUENCE {
 292 06    3: . . . .  OBJECT IDENTIFIER commonName (2 5 4 3)
            : . . . . . (X.520 id-at (2 5 4))
 297 13   23: . . . .  PrintableString 'Time Stamping Authority'
            : . . . .  }
            : . . . . }
            : . . .  }
 322 02    8: . . . INTEGER
            : . . .  00 94 88 17 21 34 37 76
            : . . . }
 332 30    9: . .  SEQUENCE {
 334 06    5: . . . OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
            : . . .  (OIW)
 341 05    0: . . . NULL
            : . . . }
 343 A0   95: . .  [0] {
 345 30   26: . . . SEQUENCE {
 347 06    9: . . .  OBJECT IDENTIFIER
            : . . . . contentType (1 2 840 113549 1 9 3)
            : . . . . (PKCS #9 (1 2 840 113549 1 9))
 358 31   13: . . .  SET {
 360 06   11: . . . . OBJECT IDENTIFIER
            : . . . .  id-ct-dvcsrequest (1 2 840 113549 1 9 16 1 7)
            : . . . .  (S/MIME Content Types (1 2 840 113549 1 9 16 1))
            : . . . . }
            : . . .  }
 373 30   28: . . . SEQUENCE {
 375 06    9: . . .  OBJECT IDENTIFIER
            : . . . . signingTime (1 2 840 113549 1 9 5)
            : . . . . (PKCS #9 (1 2 840 113549 1 9))
 386 31   15: . . .  SET {
 388 17   13: . . . . UTCTime '000417171457Z'
        
            : . . . . }
            : . . .  }
 403 30   35: . . . SEQUENCE {
 405 06    9: . . .  OBJECT IDENTIFIER
            : . . . . messageDigest (1 2 840 113549 1 9 4)
            : . . . . (PKCS #9 (1 2 840 113549 1 9))
 416 31   22: . . .  SET {
 418 04   20: . . . . OCTET STRING
            : . . . .  4D A8 C2 D2 CE 7C 0D 04 41 2F 44 13 33 75 DB 2F
            : . . . .  5B 2D F9 DC
            : . . . . }
            : . . .  }
            : . . . }
 440 30   13: . .  SEQUENCE {
 442 06    9: . . . OBJECT IDENTIFIER
            : . . .  rsaEncryption (1 2 840 113549 1 1 1)
            : . . .  (PKCS #1)
 453 05    0: . . . NULL
            : . . . }
 455 04  128: . .  OCTET STRING
            : . . . 6E 7B 0E 36 F5 08 5F 16 3C 31 7B 28 BB 0B C2 C6
            : . . . 17 67 A6 B5 54 F1 98 E2 6F 89 96 0E 0C 99 E6 CB
            : . . . 40 C1 9B 8D D8 D7 8E D3 2B 41 F7 16 26 5B B7 08
            : . . . BF E6 95 B2 D9 01 6C FE B1 2C 52 C1 5A D2 31 F3
            : . . . 8E CA DD 11 A1 72 05 29 41 6A DD 28 40 AA 5C 77
            : . . . C6 9D 1D 80 53 DB 6F 9C 4C A5 A3 8F 92 8B 18 3F
            : . . . D5 3A AD 01 87 69 C3 FD D3 D8 C3 D0 CA 6B E6 0D
            : . . . 4E 53 6E 50 20 99 7C 94 C2 44 25 1B 06 C0 99 96
            : . .  }
            : . . }
            : .  }
            : . }
            :  }
        
            : . . . . }
            : . . .  }
 403 30   35: . . . SEQUENCE {
 405 06    9: . . .  OBJECT IDENTIFIER
            : . . . . messageDigest (1 2 840 113549 1 9 4)
            : . . . . (PKCS #9 (1 2 840 113549 1 9))
 416 31   22: . . .  SET {
 418 04   20: . . . . OCTET STRING
            : . . . .  4D A8 C2 D2 CE 7C 0D 04 41 2F 44 13 33 75 DB 2F
            : . . . .  5B 2D F9 DC
            : . . . . }
            : . . .  }
            : . . . }
 440 30   13: . .  SEQUENCE {
 442 06    9: . . . OBJECT IDENTIFIER
            : . . .  rsaEncryption (1 2 840 113549 1 1 1)
            : . . .  (PKCS #1)
 453 05    0: . . . NULL
            : . . . }
 455 04  128: . .  OCTET STRING
            : . . . 6E 7B 0E 36 F5 08 5F 16 3C 31 7B 28 BB 0B C2 C6
            : . . . 17 67 A6 B5 54 F1 98 E2 6F 89 96 0E 0C 99 E6 CB
            : . . . 40 C1 9B 8D D8 D7 8E D3 2B 41 F7 16 26 5B B7 08
            : . . . BF E6 95 B2 D9 01 6C FE B1 2C 52 C1 5A D2 31 F3
            : . . . 8E CA DD 11 A1 72 05 29 41 6A DD 28 40 AA 5C 77
            : . . . C6 9D 1D 80 53 DB 6F 9C 4C A5 A3 8F 92 8B 18 3F
            : . . . D5 3A AD 01 87 69 C3 FD D3 D8 C3 D0 CA 6B E6 0D
            : . . . 4E 53 6E 50 20 99 7C 94 C2 44 25 1B 06 C0 99 96
            : . .  }
            : . . }
            : .  }
            : . }
            :  }
        

The corresponding data in PEM format are:

PEM格式的相应数据为:

-----BEGIN PKCS7-----
MIICRgYJKoZIhvcNAQcCoIICNzCCAjMCAQMxCzAJBgUrDgMCGgUAMIGZBgsqhkiG
9w0BCRABB6CBiQSBhjCBgzBgCgEEoE2kSzBJMQswCQYDVQQGEwJGUjEOMAwGA1UE
BxMFUGFyaXMxEDAOBgNVBAoTB0VkZWxXZWIxGDAWBgNVBAMTD1BldGVyIFN5bHZl
c3RlcqEMBgorBgEEAak9AQIBMB8wBwYFKw4DAhoEFHW2ha9viUZ96AcVJR5Fl4/N
H6VmMYIBgzCCAX8CAQEwfDBwMQswCQYDVQQGEwJGUjEVMBMGA1UEChMMRWRlbFdl
YiBTLkEuMSgwJgYDVQQLEx9DbGVwc3lkcmUgRGVtb25zdHJhdGlvbiBTZXJ2aWNl
MSAwHgYDVQQDExdUaW1lIFN0YW1waW5nIEF1dGhvcml0eQIIAJSIFyE0N3YwCQYF
Kw4DAhoFAKBfMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBzAcBgkqhkiG9w0B
CQUxDxcNMDAwNDE3MTcxNDU3WjAjBgkqhkiG9w0BCQQxFgQUTajC0s58DQRBL0QT
M3XbL1st+dwwDQYJKoZIhvcNAQEBBQAEgYBuew429QhfFjwxeyi7C8LGF2emtVTx
mOJviZYODJnmy0DBm43Y147TK0H3FiZbtwi/5pWy2QFs/rEsUsFa0jHzjsrdEaFy
        
-----BEGIN PKCS7-----
MIICRgYJKoZIhvcNAQcCoIICNzCCAjMCAQMxCzAJBgUrDgMCGgUAMIGZBgsqhkiG
9w0BCRABB6CBiQSBhjCBgzBgCgEEoE2kSzBJMQswCQYDVQQGEwJGUjEOMAwGA1UE
BxMFUGFyaXMxEDAOBgNVBAoTB0VkZWxXZWIxGDAWBgNVBAMTD1BldGVyIFN5bHZl
c3RlcqEMBgorBgEEAak9AQIBMB8wBwYFKw4DAhoEFHW2ha9viUZ96AcVJR5Fl4/N
H6VmMYIBgzCCAX8CAQEwfDBwMQswCQYDVQQGEwJGUjEVMBMGA1UEChMMRWRlbFdl
YiBTLkEuMSgwJgYDVQQLEx9DbGVwc3lkcmUgRGVtb25zdHJhdGlvbiBTZXJ2aWNl
MSAwHgYDVQQDExdUaW1lIFN0YW1waW5nIEF1dGhvcml0eQIIAJSIFyE0N3YwCQYF
Kw4DAhoFAKBfMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBzAcBgkqhkiG9w0B
CQUxDxcNMDAwNDE3MTcxNDU3WjAjBgkqhkiG9w0BCQQxFgQUTajC0s58DQRBL0QT
M3XbL1st+dwwDQYJKoZIhvcNAQEBBQAEgYBuew429QhfFjwxeyi7C8LGF2emtVTx
mOJviZYODJnmy0DBm43Y147TK0H3FiZbtwi/5pWy2QFs/rEsUsFa0jHzjsrdEaFy
        
BSlBat0oQKpcd8adHYBT22+cTKWjj5KLGD/VOq0Bh2nD/dPYw9DKa+YNTlNuUCCZ
fJTCRCUbBsCZlg==
-----END PKCS7-----
        
BSlBat0oQKpcd8adHYBT22+cTKWjj5KLGD/VOq0Bh2nD/dPYw9DKa+YNTlNuUCCZ
fJTCRCUbBsCZlg==
-----END PKCS7-----
        

Response:

答复:

   0 30 2039: SEQUENCE {
   4 06    9:  OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
            : . (PKCS #7)
  15 A0 2024:  [0] {
  19 30 2020: . SEQUENCE {
  23 02    1: .  INTEGER 3
  26 31   11: .  SET {
  28 30    9: . . SEQUENCE {
  30 06    5: . .  OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
            : . . . (OIW)
  37 05    0: . .  NULL
            : . .  }
            : . . }
  39 30  301: .  SEQUENCE {
  43 06   11: . . OBJECT IDENTIFIER
            : . .  id-ct-DVCSResponseData (1 2 840 113549 1 9 16 1 8)
            : . .  (S/MIME Content Types (1 2 840 113549 1 9 16 1))
  56 A0  284: . . [0] {
  60 04  280: . .  OCTET STRING, encapsulates {
  64 30  276: . . .  SEQUENCE {
  68 30  214: . . . . SEQUENCE {
  71 0A    1: . . . .  ENUMERATED CCPD (4)
  74 A0   77: . . . .  [0] {
  76 A4   75: . . . . . [4] {
  78 30   73: . . . . .  SEQUENCE {
  80 31   11: . . . . . . SET {
  82 30    9: . . . . . .  SEQUENCE {
  84 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  countryName (2 5 4 6)
            : . . . . . . .  (X.520 id-at (2 5 4))
  89 13    2: . . . . . . . PrintableString 'FR'
            : . . . . . . . }
            : . . . . . .  }
  93 31   14: . . . . . . SET {
  95 30   12: . . . . . .  SEQUENCE {
  97 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  localityName (2 5 4 7)
            : . . . . . . .  (X.520 id-at (2 5 4))
 102 13    5: . . . . . . . PrintableString 'Paris'
            : . . . . . . . }
            : . . . . . .  }
 109 31   16: . . . . . . SET {
        
   0 30 2039: SEQUENCE {
   4 06    9:  OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
            : . (PKCS #7)
  15 A0 2024:  [0] {
  19 30 2020: . SEQUENCE {
  23 02    1: .  INTEGER 3
  26 31   11: .  SET {
  28 30    9: . . SEQUENCE {
  30 06    5: . .  OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
            : . . . (OIW)
  37 05    0: . .  NULL
            : . .  }
            : . . }
  39 30  301: .  SEQUENCE {
  43 06   11: . . OBJECT IDENTIFIER
            : . .  id-ct-DVCSResponseData (1 2 840 113549 1 9 16 1 8)
            : . .  (S/MIME Content Types (1 2 840 113549 1 9 16 1))
  56 A0  284: . . [0] {
  60 04  280: . .  OCTET STRING, encapsulates {
  64 30  276: . . .  SEQUENCE {
  68 30  214: . . . . SEQUENCE {
  71 0A    1: . . . .  ENUMERATED CCPD (4)
  74 A0   77: . . . .  [0] {
  76 A4   75: . . . . . [4] {
  78 30   73: . . . . .  SEQUENCE {
  80 31   11: . . . . . . SET {
  82 30    9: . . . . . .  SEQUENCE {
  84 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  countryName (2 5 4 6)
            : . . . . . . .  (X.520 id-at (2 5 4))
  89 13    2: . . . . . . . PrintableString 'FR'
            : . . . . . . . }
            : . . . . . .  }
  93 31   14: . . . . . . SET {
  95 30   12: . . . . . .  SEQUENCE {
  97 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  localityName (2 5 4 7)
            : . . . . . . .  (X.520 id-at (2 5 4))
 102 13    5: . . . . . . . PrintableString 'Paris'
            : . . . . . . . }
            : . . . . . .  }
 109 31   16: . . . . . . SET {
        
 111 30   14: . . . . . .  SEQUENCE {
 113 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  organizationName (2 5 4 10)
            : . . . . . . .  (X.520 id-at (2 5 4))
 118 13    7: . . . . . . . PrintableString 'EdelWeb'
            : . . . . . . . }
            : . . . . . .  }
 127 31   24: . . . . . . SET {
 129 30   22: . . . . . .  SEQUENCE {
 131 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  commonName (2 5 4 3)
            : . . . . . . .  (X.520 id-at (2 5 4))
 136 13   15: . . . . . . . PrintableString 'Peter Sylvester'
            : . . . . . . . }
            : . . . . . .  }
            : . . . . . . }
            : . . . . .  }
            : . . . . . }
 153 A1   12: . . . .  [1] {
 155 06   10: . . . . . OBJECT IDENTIFIER '1 3 6 1 4 1 5309 1 2 1'
            : . . . . . }
 167 A2  116: . . . .  [2] {
 169 A4  114: . . . . . [4] {
 171 30  112: . . . . .  SEQUENCE {
 173 31   11: . . . . . . SET {
 175 30    9: . . . . . .  SEQUENCE {
 177 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  countryName (2 5 4 6)
            : . . . . . . .  (X.520 id-at (2 5 4))
 182 13    2: . . . . . . . PrintableString 'FR'
            : . . . . . . . }
            : . . . . . .  }
 186 31   21: . . . . . . SET {
 188 30   19: . . . . . .  SEQUENCE {
 190 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  organizationName (2 5 4 10)
            : . . . . . . .  (X.520 id-at (2 5 4))
 195 13   12: . . . . . . . PrintableString 'EdelWeb S.A.'
            : . . . . . . . }
            : . . . . . .  }
 209 31   40: . . . . . . SET {
 211 30   38: . . . . . .  SEQUENCE {
 213 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  organizationalUnitName (2 5 4 11)
            : . . . . . . .  (X.520 id-at (2 5 4))
 218 13 31: . . . . . PrintableString 'Clepsydre Demonstration Service'
            : . . . . . . . }
            : . . . . . .  }
        
 111 30   14: . . . . . .  SEQUENCE {
 113 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  organizationName (2 5 4 10)
            : . . . . . . .  (X.520 id-at (2 5 4))
 118 13    7: . . . . . . . PrintableString 'EdelWeb'
            : . . . . . . . }
            : . . . . . .  }
 127 31   24: . . . . . . SET {
 129 30   22: . . . . . .  SEQUENCE {
 131 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  commonName (2 5 4 3)
            : . . . . . . .  (X.520 id-at (2 5 4))
 136 13   15: . . . . . . . PrintableString 'Peter Sylvester'
            : . . . . . . . }
            : . . . . . .  }
            : . . . . . . }
            : . . . . .  }
            : . . . . . }
 153 A1   12: . . . .  [1] {
 155 06   10: . . . . . OBJECT IDENTIFIER '1 3 6 1 4 1 5309 1 2 1'
            : . . . . . }
 167 A2  116: . . . .  [2] {
 169 A4  114: . . . . . [4] {
 171 30  112: . . . . .  SEQUENCE {
 173 31   11: . . . . . . SET {
 175 30    9: . . . . . .  SEQUENCE {
 177 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  countryName (2 5 4 6)
            : . . . . . . .  (X.520 id-at (2 5 4))
 182 13    2: . . . . . . . PrintableString 'FR'
            : . . . . . . . }
            : . . . . . .  }
 186 31   21: . . . . . . SET {
 188 30   19: . . . . . .  SEQUENCE {
 190 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  organizationName (2 5 4 10)
            : . . . . . . .  (X.520 id-at (2 5 4))
 195 13   12: . . . . . . . PrintableString 'EdelWeb S.A.'
            : . . . . . . . }
            : . . . . . .  }
 209 31   40: . . . . . . SET {
 211 30   38: . . . . . .  SEQUENCE {
 213 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  organizationalUnitName (2 5 4 11)
            : . . . . . . .  (X.520 id-at (2 5 4))
 218 13 31: . . . . . PrintableString 'Clepsydre Demonstration Service'
            : . . . . . . . }
            : . . . . . .  }
        
 251 31   32: . . . . . . SET {
 253 30   30: . . . . . .  SEQUENCE {
 255 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  commonName (2 5 4 3)
            : . . . . . . .  (X.520 id-at (2 5 4))
 260 13   23: . . . . . . . PrintableString 'Time Stamping Authority'
            : . . . . . . . }
            : . . . . . .  }
            : . . . . . . }
            : . . . . .  }
            : . . . . . }
            : . . . .  }
 285 30   31: . . . . SEQUENCE {
 287 30    7: . . . .  SEQUENCE {
 289 06    5: . . . . . OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
            : . . . . . }
 296 04   20: . . . .  OCTET STRING
            : . . . .  75 B6 85 AF 6F 89 46 7D E8 07 15 25 1E 45 97 8F
            : . . . .  CD 1F A5 66
            : . . . .  }
 318 02    7: . . . . INTEGER
            : . . . .  01 78 0A 1E CA 88 23
 327 18   15: . . . . GeneralizedTime '20000417171617Z'
            : . . . . }
            : . . .  }
            : . .  }
            : . . }
 344 A0  992: .  [0] {
 348 30  988: . . SEQUENCE {
 352 30  708: . .  SEQUENCE {
 356 A0    3: . . . [0] {
 358 02    1: . . .  INTEGER 2
            : . . .  }
 361 02    8: . . . INTEGER
            : . . .  00 94 88 17 17 64 37 32
 371 30   13: . . . SEQUENCE {
 373 06    9: . . .  OBJECT IDENTIFIER
            : . . . . md5withRSAEncryption (1 2 840 113549 1 1 4)
            : . . . . (PKCS #1)
 384 05    0: . . .  NULL
            : . . .  }
 386 30  112: . . . SEQUENCE {
 388 31   11: . . .  SET {
 390 30    9: . . . . SEQUENCE {
 392 06    3: . . . .  OBJECT IDENTIFIER countryName (2 5 4 6)
            : . . . . . (X.520 id-at (2 5 4))
 397 13    2: . . . .  PrintableString 'FR'
            : . . . .  }
        
 251 31   32: . . . . . . SET {
 253 30   30: . . . . . .  SEQUENCE {
 255 06    3: . . . . . . . OBJECT IDENTIFIER
            : . . . . . . .  commonName (2 5 4 3)
            : . . . . . . .  (X.520 id-at (2 5 4))
 260 13   23: . . . . . . . PrintableString 'Time Stamping Authority'
            : . . . . . . . }
            : . . . . . .  }
            : . . . . . . }
            : . . . . .  }
            : . . . . . }
            : . . . .  }
 285 30   31: . . . . SEQUENCE {
 287 30    7: . . . .  SEQUENCE {
 289 06    5: . . . . . OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
            : . . . . . }
 296 04   20: . . . .  OCTET STRING
            : . . . .  75 B6 85 AF 6F 89 46 7D E8 07 15 25 1E 45 97 8F
            : . . . .  CD 1F A5 66
            : . . . .  }
 318 02    7: . . . . INTEGER
            : . . . .  01 78 0A 1E CA 88 23
 327 18   15: . . . . GeneralizedTime '20000417171617Z'
            : . . . . }
            : . . .  }
            : . .  }
            : . . }
 344 A0  992: .  [0] {
 348 30  988: . . SEQUENCE {
 352 30  708: . .  SEQUENCE {
 356 A0    3: . . . [0] {
 358 02    1: . . .  INTEGER 2
            : . . .  }
 361 02    8: . . . INTEGER
            : . . .  00 94 88 17 17 64 37 32
 371 30   13: . . . SEQUENCE {
 373 06    9: . . .  OBJECT IDENTIFIER
            : . . . . md5withRSAEncryption (1 2 840 113549 1 1 4)
            : . . . . (PKCS #1)
 384 05    0: . . .  NULL
            : . . .  }
 386 30  112: . . . SEQUENCE {
 388 31   11: . . .  SET {
 390 30    9: . . . . SEQUENCE {
 392 06    3: . . . .  OBJECT IDENTIFIER countryName (2 5 4 6)
            : . . . . . (X.520 id-at (2 5 4))
 397 13    2: . . . .  PrintableString 'FR'
            : . . . .  }
        
            : . . . . }
 401 31   21: . . .  SET {
 403 30   19: . . . . SEQUENCE {
 405 06    3: . . . .  OBJECT IDENTIFIER organizationName (2 5 4 10)
            : . . . . . (X.520 id-at (2 5 4))
 410 13   12: . . . .  PrintableString 'EdelWeb S.A.'
            : . . . .  }
            : . . . . }
 424 31   40: . . .  SET {
 426 30   38: . . . . SEQUENCE {
 428 06    3: . . . .  OBJECT IDENTIFIER
            : . . . . . organizationalUnitName (2 5 4 11)
            : . . . . . (X.520 id-at (2 5 4))
 433 13 31: . . . .  PrintableString 'Clepsydre Demonstration Service'
            : . . . .  }
            : . . . . }
 466 31   32: . . .  SET {
 468 30   30: . . . . SEQUENCE {
 470 06    3: . . . .  OBJECT IDENTIFIER commonName (2 5 4 3)
            : . . . . . (X.520 id-at (2 5 4))
 475 13   23: . . . .  PrintableString 'Time Stamping Authority'
            : . . . .  }
            : . . . . }
            : . . .  }
 500 30   30: . . . SEQUENCE {
 502 17   13: . . .  UTCTime '000125161938Z'
 517 17   13: . . .  UTCTime '200120161938Z'
            : . . .  }
 532 30  112: . . . SEQUENCE {
 534 31   11: . . .  SET {
 536 30    9: . . . . SEQUENCE {
 538 06    3: . . . .  OBJECT IDENTIFIER countryName (2 5 4 6)
            : . . . . . (X.520 id-at (2 5 4))
 543 13    2: . . . .  PrintableString 'FR'
            : . . . .  }
            : . . . . }
 547 31   21: . . .  SET {
 549 30   19: . . . . SEQUENCE {
 551 06    3: . . . .  OBJECT IDENTIFIER organizationName (2 5 4 10)
            : . . . . . (X.520 id-at (2 5 4))
 556 13   12: . . . .  PrintableString 'EdelWeb S.A.'
            : . . . .  }
            : . . . . }
 570 31   40: . . .  SET {
 572 30   38: . . . . SEQUENCE {
 574 06    3: . . . .  OBJECT IDENTIFIER
            : . . . . . organizationalUnitName (2 5 4 11)
            : . . . . . (X.520 id-at (2 5 4))
        
            : . . . . }
 401 31   21: . . .  SET {
 403 30   19: . . . . SEQUENCE {
 405 06    3: . . . .  OBJECT IDENTIFIER organizationName (2 5 4 10)
            : . . . . . (X.520 id-at (2 5 4))
 410 13   12: . . . .  PrintableString 'EdelWeb S.A.'
            : . . . .  }
            : . . . . }
 424 31   40: . . .  SET {
 426 30   38: . . . . SEQUENCE {
 428 06    3: . . . .  OBJECT IDENTIFIER
            : . . . . . organizationalUnitName (2 5 4 11)
            : . . . . . (X.520 id-at (2 5 4))
 433 13 31: . . . .  PrintableString 'Clepsydre Demonstration Service'
            : . . . .  }
            : . . . . }
 466 31   32: . . .  SET {
 468 30   30: . . . . SEQUENCE {
 470 06    3: . . . .  OBJECT IDENTIFIER commonName (2 5 4 3)
            : . . . . . (X.520 id-at (2 5 4))
 475 13   23: . . . .  PrintableString 'Time Stamping Authority'
            : . . . .  }
            : . . . . }
            : . . .  }
 500 30   30: . . . SEQUENCE {
 502 17   13: . . .  UTCTime '000125161938Z'
 517 17   13: . . .  UTCTime '200120161938Z'
            : . . .  }
 532 30  112: . . . SEQUENCE {
 534 31   11: . . .  SET {
 536 30    9: . . . . SEQUENCE {
 538 06    3: . . . .  OBJECT IDENTIFIER countryName (2 5 4 6)
            : . . . . . (X.520 id-at (2 5 4))
 543 13    2: . . . .  PrintableString 'FR'
            : . . . .  }
            : . . . . }
 547 31   21: . . .  SET {
 549 30   19: . . . . SEQUENCE {
 551 06    3: . . . .  OBJECT IDENTIFIER organizationName (2 5 4 10)
            : . . . . . (X.520 id-at (2 5 4))
 556 13   12: . . . .  PrintableString 'EdelWeb S.A.'
            : . . . .  }
            : . . . . }
 570 31   40: . . .  SET {
 572 30   38: . . . . SEQUENCE {
 574 06    3: . . . .  OBJECT IDENTIFIER
            : . . . . . organizationalUnitName (2 5 4 11)
            : . . . . . (X.520 id-at (2 5 4))
        
 579 13 31: . . . .  PrintableString 'Clepsydre Demonstration Service'
            : . . . .  }
            : . . . . }
 612 31   32: . . .  SET {
 614 30   30: . . . . SEQUENCE {
 616 06    3: . . . .  OBJECT IDENTIFIER commonName (2 5 4 3)
            : . . . . . (X.520 id-at (2 5 4))
 621 13   23: . . . .  PrintableString 'Time Stamping Authority'
            : . . . .  }
            : . . . . }
            : . . .  }
 646 30  290: . . . SEQUENCE {
 650 30   13: . . .  SEQUENCE {
 652 06    9: . . . . OBJECT IDENTIFIER
            : . . . .  rsaEncryption (1 2 840 113549 1 1 1)
            : . . . .  (PKCS #1)
 663 05    0: . . . . NULL
            : . . . . }
 665 03  271: . . .  BIT STRING 0 unused bits
            : . . . . 30 82 01 0A 02 82 01 01 00 FA C3 17 AE EB B7 9D
            : . . . . EB AB BD 05 7E 39 43 6D 04 45 58 74 05 A5 CC F3
            : . . . . 6C 2F 8C 8E 77 7E C2 9F 12 11 5C 7D DB BE 23 28
            : . . . . 9A 90 D2 AB C6 A2 BA BD A3 7E 99 A6 99 21 A5 D8
            : . . . . 90 B9 CF A7 23 4E A0 56 A0 C1 0A 46 89 8E 3C 91
            : . . . . 67 37 FD 9B AB 49 17 FC 4A A5 F2 E4 4C 6E E3 6A
            : . . . . 1C 92 97 04 6F 7F 0C 5C FB 74 CB 95 7E 4C C3 58
            : . . . . 12 E8 A9 D6 F0 DD 12 44 15 E7 8B 2E AF 51 C0 0C
            : . . . . . . [ Another 142 bytes skipped ]
            : . . .  }
 940 A3  122: . . . [3] {
 942 30  120: . . .  SEQUENCE {
 944 30   15: . . . . SEQUENCE {
 946 06    3: . . . .  OBJECT IDENTIFIER basicConstraints (2 5 29 19)
            : . . . . . (X.509 id-ce (2 5 29))
 951 04    8: . . . .  OCTET STRING, encapsulates {
 953 30    6: . . . . .  SEQUENCE {
 955 01    1: . . . . . . BOOLEAN TRUE
 958 02    1: . . . . . . INTEGER 0
            : . . . . . . }
            : . . . . .  }
            : . . . .  }
 961 30   22: . . . . SEQUENCE {
 963 06    3: . . . .  OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
            : . . . . . (X.509 id-ce (2 5 29))
 968 01    1: . . . .  BOOLEAN TRUE
 971 04   12: . . . .  OCTET STRING, encapsulates {
 973 30   10: . . . . .  SEQUENCE {
 975 06    8: . . . . . . OBJECT IDENTIFIER '1 3 6 1 5 5 7 3 10'
        
 579 13 31: . . . .  PrintableString 'Clepsydre Demonstration Service'
            : . . . .  }
            : . . . . }
 612 31   32: . . .  SET {
 614 30   30: . . . . SEQUENCE {
 616 06    3: . . . .  OBJECT IDENTIFIER commonName (2 5 4 3)
            : . . . . . (X.520 id-at (2 5 4))
 621 13   23: . . . .  PrintableString 'Time Stamping Authority'
            : . . . .  }
            : . . . . }
            : . . .  }
 646 30  290: . . . SEQUENCE {
 650 30   13: . . .  SEQUENCE {
 652 06    9: . . . . OBJECT IDENTIFIER
            : . . . .  rsaEncryption (1 2 840 113549 1 1 1)
            : . . . .  (PKCS #1)
 663 05    0: . . . . NULL
            : . . . . }
 665 03  271: . . .  BIT STRING 0 unused bits
            : . . . . 30 82 01 0A 02 82 01 01 00 FA C3 17 AE EB B7 9D
            : . . . . EB AB BD 05 7E 39 43 6D 04 45 58 74 05 A5 CC F3
            : . . . . 6C 2F 8C 8E 77 7E C2 9F 12 11 5C 7D DB BE 23 28
            : . . . . 9A 90 D2 AB C6 A2 BA BD A3 7E 99 A6 99 21 A5 D8
            : . . . . 90 B9 CF A7 23 4E A0 56 A0 C1 0A 46 89 8E 3C 91
            : . . . . 67 37 FD 9B AB 49 17 FC 4A A5 F2 E4 4C 6E E3 6A
            : . . . . 1C 92 97 04 6F 7F 0C 5C FB 74 CB 95 7E 4C C3 58
            : . . . . 12 E8 A9 D6 F0 DD 12 44 15 E7 8B 2E AF 51 C0 0C
            : . . . . . . [ Another 142 bytes skipped ]
            : . . .  }
 940 A3  122: . . . [3] {
 942 30  120: . . .  SEQUENCE {
 944 30   15: . . . . SEQUENCE {
 946 06    3: . . . .  OBJECT IDENTIFIER basicConstraints (2 5 29 19)
            : . . . . . (X.509 id-ce (2 5 29))
 951 04    8: . . . .  OCTET STRING, encapsulates {
 953 30    6: . . . . .  SEQUENCE {
 955 01    1: . . . . . . BOOLEAN TRUE
 958 02    1: . . . . . . INTEGER 0
            : . . . . . . }
            : . . . . .  }
            : . . . .  }
 961 30   22: . . . . SEQUENCE {
 963 06    3: . . . .  OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
            : . . . . . (X.509 id-ce (2 5 29))
 968 01    1: . . . .  BOOLEAN TRUE
 971 04   12: . . . .  OCTET STRING, encapsulates {
 973 30   10: . . . . .  SEQUENCE {
 975 06    8: . . . . . . OBJECT IDENTIFIER '1 3 6 1 5 5 7 3 10'
        
            : . . . . . . }
            : . . . . .  }
            : . . . .  }
 985 30   77: . . . . SEQUENCE {
 987 06    8: . . . .  OBJECT IDENTIFIER
            : . . . . . authorityInfoAccess (1 3 6 1 5 5 7 1 1)
            : . . . . . (PKIX private extension)
 997 01    1: . . . .  BOOLEAN TRUE
1000 04   62: . . . .  OCTET STRING, encapsulates {
1002 30   60: . . . . .  SEQUENCE {
1004 30   58: . . . . . . SEQUENCE {
1006 06    8: . . . . . .  OBJECT IDENTIFIER '1 3 6 1 5 5 7 48 4'
1016 86   46: . . . . . .  [6]
            : . . . .  'https://clepsydre.edelweb.fr/dvcs/service-ccpd'
            : . . . . . .  }
            : . . . . . . }
            : . . . . .  }
            : . . . .  }
            : . . . . }
            : . . .  }
            : . . . }
1064 30   13: . .  SEQUENCE {
1066 06    9: . . . OBJECT IDENTIFIER
            : . . .  md5withRSAEncryption (1 2 840 113549 1 1 4)
            : . . .  (PKCS #1)
1077 05    0: . . . NULL
            : . . . }
1079 03  257: . .  BIT STRING 0 unused bits
            : . . . 08 DA AF 5B 09 39 66 D3 BE 80 1D D7 72 B5 2C A3
            : . . . 04 FB 46 F8 05 F5 BF 83 F3 6D 6D 32 28 1C 46 EE
            : . . . 0F EA 30 61 8A 1E 8A 03 4E 98 81 60 1F 97 17 53
            : . . . D1 54 73 3F 72 98 45 D3 10 9A D3 77 B8 74 0E 9A
            : . . . 90 29 8E AC A4 EB D2 24 6D F6 21 1D 3F 52 8B 2C
            : . . . E6 92 E7 52 C6 54 93 91 BC 57 74 21 38 39 75 CD
            : . . . 30 49 54 13 94 6C FE F1 64 38 1F 5F 7D BB E0 3E
            : . . . A8 F1 28 1C F1 D9 28 FA 32 1E 3B 48 BF 5C 70 21
            : . . . . . [ Another 128 bytes skipped ]
            : . .  }
            : . . }
1340 31  699: .  SET {
1344 30  695: . . SEQUENCE {
1348 02    1: . .  INTEGER 1
1351 30  124: . .  SEQUENCE {
1353 30  112: . . . SEQUENCE {
1355 31   11: . . .  SET {
1357 30    9: . . . . SEQUENCE {
1359 06    3: . . . .  OBJECT IDENTIFIER countryName (2 5 4 6)
            : . . . . . (X.520 id-at (2 5 4))
        
            : . . . . . . }
            : . . . . .  }
            : . . . .  }
 985 30   77: . . . . SEQUENCE {
 987 06    8: . . . .  OBJECT IDENTIFIER
            : . . . . . authorityInfoAccess (1 3 6 1 5 5 7 1 1)
            : . . . . . (PKIX private extension)
 997 01    1: . . . .  BOOLEAN TRUE
1000 04   62: . . . .  OCTET STRING, encapsulates {
1002 30   60: . . . . .  SEQUENCE {
1004 30   58: . . . . . . SEQUENCE {
1006 06    8: . . . . . .  OBJECT IDENTIFIER '1 3 6 1 5 5 7 48 4'
1016 86   46: . . . . . .  [6]
            : . . . .  'https://clepsydre.edelweb.fr/dvcs/service-ccpd'
            : . . . . . .  }
            : . . . . . . }
            : . . . . .  }
            : . . . .  }
            : . . . . }
            : . . .  }
            : . . . }
1064 30   13: . .  SEQUENCE {
1066 06    9: . . . OBJECT IDENTIFIER
            : . . .  md5withRSAEncryption (1 2 840 113549 1 1 4)
            : . . .  (PKCS #1)
1077 05    0: . . . NULL
            : . . . }
1079 03  257: . .  BIT STRING 0 unused bits
            : . . . 08 DA AF 5B 09 39 66 D3 BE 80 1D D7 72 B5 2C A3
            : . . . 04 FB 46 F8 05 F5 BF 83 F3 6D 6D 32 28 1C 46 EE
            : . . . 0F EA 30 61 8A 1E 8A 03 4E 98 81 60 1F 97 17 53
            : . . . D1 54 73 3F 72 98 45 D3 10 9A D3 77 B8 74 0E 9A
            : . . . 90 29 8E AC A4 EB D2 24 6D F6 21 1D 3F 52 8B 2C
            : . . . E6 92 E7 52 C6 54 93 91 BC 57 74 21 38 39 75 CD
            : . . . 30 49 54 13 94 6C FE F1 64 38 1F 5F 7D BB E0 3E
            : . . . A8 F1 28 1C F1 D9 28 FA 32 1E 3B 48 BF 5C 70 21
            : . . . . . [ Another 128 bytes skipped ]
            : . .  }
            : . . }
1340 31  699: .  SET {
1344 30  695: . . SEQUENCE {
1348 02    1: . .  INTEGER 1
1351 30  124: . .  SEQUENCE {
1353 30  112: . . . SEQUENCE {
1355 31   11: . . .  SET {
1357 30    9: . . . . SEQUENCE {
1359 06    3: . . . .  OBJECT IDENTIFIER countryName (2 5 4 6)
            : . . . . . (X.520 id-at (2 5 4))
        
1364 13    2: . . . .  PrintableString 'FR'
            : . . . .  }
            : . . . . }
1368 31   21: . . .  SET {
1370 30   19: . . . . SEQUENCE {
1372 06    3: . . . .  OBJECT IDENTIFIER organizationName (2 5 4 10)
            : . . . . . (X.520 id-at (2 5 4))
1377 13   12: . . . .  PrintableString 'EdelWeb S.A.'
            : . . . .  }
            : . . . . }
1391 31   40: . . .  SET {
1393 30   38: . . . . SEQUENCE {
1395 06    3: . . . .  OBJECT IDENTIFIER
            : . . . . . organizationalUnitName (2 5 4 11)
            : . . . . . (X.520 id-at (2 5 4))
1400 13 31: . . . .  PrintableString 'Clepsydre Demonstration Service'
            : . . . .  }
            : . . . . }
1433 31   32: . . .  SET {
1435 30   30: . . . . SEQUENCE {
1437 06    3: . . . .  OBJECT IDENTIFIER commonName (2 5 4 3)
            : . . . . . (X.520 id-at (2 5 4))
1442 13   23: . . . .  PrintableString 'Time Stamping Authority'
            : . . . .  }
            : . . . . }
            : . . .  }
1467 02    8: . . . INTEGER
            : . . .  00 94 88 25 72 35 27 50
            : . . . }
1477 30    9: . .  SEQUENCE {
1479 06    5: . . . OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
            : . . .  (OIW)
1486 05    0: . . . NULL
            : . . . }
1488 A0  276: . .  [0] {
1492 30   26: . . . SEQUENCE {
1494 06    9: . . .  OBJECT IDENTIFIER
            : . . . . contentType (1 2 840 113549 1 9 3)
            : . . . . (PKCS #9 (1 2 840 113549 1 9))
1505 31   13: . . .  SET {
1507 06   11: . . . . OBJECT IDENTIFIER
            : . . . .  id-ct-dvcsresponse (1 2 840 113549 1 9 16 1 8)
            : . . . .  (S/MIME Content Types (1 2 840 113549 1 9 16 1))
            : . . . . }
            : . . .  }
1520 30   28: . . . SEQUENCE {
1522 06    9: . . .  OBJECT IDENTIFIER
            : . . . . signingTime (1 2 840 113549 1 9 5)
        
1364 13    2: . . . .  PrintableString 'FR'
            : . . . .  }
            : . . . . }
1368 31   21: . . .  SET {
1370 30   19: . . . . SEQUENCE {
1372 06    3: . . . .  OBJECT IDENTIFIER organizationName (2 5 4 10)
            : . . . . . (X.520 id-at (2 5 4))
1377 13   12: . . . .  PrintableString 'EdelWeb S.A.'
            : . . . .  }
            : . . . . }
1391 31   40: . . .  SET {
1393 30   38: . . . . SEQUENCE {
1395 06    3: . . . .  OBJECT IDENTIFIER
            : . . . . . organizationalUnitName (2 5 4 11)
            : . . . . . (X.520 id-at (2 5 4))
1400 13 31: . . . .  PrintableString 'Clepsydre Demonstration Service'
            : . . . .  }
            : . . . . }
1433 31   32: . . .  SET {
1435 30   30: . . . . SEQUENCE {
1437 06    3: . . . .  OBJECT IDENTIFIER commonName (2 5 4 3)
            : . . . . . (X.520 id-at (2 5 4))
1442 13   23: . . . .  PrintableString 'Time Stamping Authority'
            : . . . .  }
            : . . . . }
            : . . .  }
1467 02    8: . . . INTEGER
            : . . .  00 94 88 25 72 35 27 50
            : . . . }
1477 30    9: . .  SEQUENCE {
1479 06    5: . . . OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
            : . . .  (OIW)
1486 05    0: . . . NULL
            : . . . }
1488 A0  276: . .  [0] {
1492 30   26: . . . SEQUENCE {
1494 06    9: . . .  OBJECT IDENTIFIER
            : . . . . contentType (1 2 840 113549 1 9 3)
            : . . . . (PKCS #9 (1 2 840 113549 1 9))
1505 31   13: . . .  SET {
1507 06   11: . . . . OBJECT IDENTIFIER
            : . . . .  id-ct-dvcsresponse (1 2 840 113549 1 9 16 1 8)
            : . . . .  (S/MIME Content Types (1 2 840 113549 1 9 16 1))
            : . . . . }
            : . . .  }
1520 30   28: . . . SEQUENCE {
1522 06    9: . . .  OBJECT IDENTIFIER
            : . . . . signingTime (1 2 840 113549 1 9 5)
        
            : . . . . (PKCS #9 (1 2 840 113549 1 9))
1533 31   15: . . .  SET {
1535 17   13: . . . . UTCTime '000417171619Z'
            : . . . . }
            : . . .  }
1550 30   35: . . . SEQUENCE {
1552 06    9: . . .  OBJECT IDENTIFIER
            : . . . . messageDigest (1 2 840 113549 1 9 4)
            : . . . . (PKCS #9 (1 2 840 113549 1 9))
1563 31   22: . . .  SET {
1565 04   20: . . . . OCTET STRING
            : . . . .  68 50 DC 90 20 2E C2 F0 55 15 7F 77 A9 A6 0C 34
            : . . . .  CC 13 06 FA
            : . . . . }
            : . . .  }
1587 30  178: . . . SEQUENCE {
1590 06   11: . . .  OBJECT IDENTIFIER
          : . . . id-aa-signingCertificate (1 2 840 113549 1 9 16 2 12)
      : . . (S/MIME Authenticated Attributes (1 2 840 113549 1 9 16 2))
1603 31  162: . . .  SET {
1606 30  159: . . . . SEQUENCE {
1609 30  156: . . . .  SEQUENCE {
1612 30  153: . . . . . SEQUENCE {
1615 04   20: . . . . .  OCTET STRING
            : . . . .  5C F1 18 F3 4A CA B4 67 D6 D8 E7 F8 3B 4A D9 7A
            : . . . .  32 A5 43 A5
1637 30  128: . . . . .  SEQUENCE {
1640 30  116: . . . . . . SEQUENCE {
1642 A4  114: . . . . . .  [4] {
1644 30  112: . . . . . . . SEQUENCE {
1646 31   11: . . . . . . .  SET {
1648 30    9: . . . . . . . . SEQUENCE {
1650 06    3: . . . . . . . .  OBJECT IDENTIFIER
            : . . . . . . . . . countryName (2 5 4 6)
            : . . . . . . . . . (X.520 id-at (2 5 4))
1655 13    2: . . . . . . . .  PrintableString 'FR'
            : . . . . . . . .  }
            : . . . . . . . . }
1659 31   21: . . . . . . .  SET {
1661 30   19: . . . . . . . . SEQUENCE {
1663 06    3: . . . . . . . .  OBJECT IDENTIFIER
            : . . . . . . . . . organizationName (2 5 4 10)
            : . . . . . . . . . (X.520 id-at (2 5 4))
1668 13   12: . . . . . . . .  PrintableString 'EdelWeb S.A.'
            : . . . . . . . .  }
            : . . . . . . . . }
1682 31   40: . . . . . . .  SET {
1684 30   38: . . . . . . . . SEQUENCE {
        
            : . . . . (PKCS #9 (1 2 840 113549 1 9))
1533 31   15: . . .  SET {
1535 17   13: . . . . UTCTime '000417171619Z'
            : . . . . }
            : . . .  }
1550 30   35: . . . SEQUENCE {
1552 06    9: . . .  OBJECT IDENTIFIER
            : . . . . messageDigest (1 2 840 113549 1 9 4)
            : . . . . (PKCS #9 (1 2 840 113549 1 9))
1563 31   22: . . .  SET {
1565 04   20: . . . . OCTET STRING
            : . . . .  68 50 DC 90 20 2E C2 F0 55 15 7F 77 A9 A6 0C 34
            : . . . .  CC 13 06 FA
            : . . . . }
            : . . .  }
1587 30  178: . . . SEQUENCE {
1590 06   11: . . .  OBJECT IDENTIFIER
          : . . . id-aa-signingCertificate (1 2 840 113549 1 9 16 2 12)
      : . . (S/MIME Authenticated Attributes (1 2 840 113549 1 9 16 2))
1603 31  162: . . .  SET {
1606 30  159: . . . . SEQUENCE {
1609 30  156: . . . .  SEQUENCE {
1612 30  153: . . . . . SEQUENCE {
1615 04   20: . . . . .  OCTET STRING
            : . . . .  5C F1 18 F3 4A CA B4 67 D6 D8 E7 F8 3B 4A D9 7A
            : . . . .  32 A5 43 A5
1637 30  128: . . . . .  SEQUENCE {
1640 30  116: . . . . . . SEQUENCE {
1642 A4  114: . . . . . .  [4] {
1644 30  112: . . . . . . . SEQUENCE {
1646 31   11: . . . . . . .  SET {
1648 30    9: . . . . . . . . SEQUENCE {
1650 06    3: . . . . . . . .  OBJECT IDENTIFIER
            : . . . . . . . . . countryName (2 5 4 6)
            : . . . . . . . . . (X.520 id-at (2 5 4))
1655 13    2: . . . . . . . .  PrintableString 'FR'
            : . . . . . . . .  }
            : . . . . . . . . }
1659 31   21: . . . . . . .  SET {
1661 30   19: . . . . . . . . SEQUENCE {
1663 06    3: . . . . . . . .  OBJECT IDENTIFIER
            : . . . . . . . . . organizationName (2 5 4 10)
            : . . . . . . . . . (X.520 id-at (2 5 4))
1668 13   12: . . . . . . . .  PrintableString 'EdelWeb S.A.'
            : . . . . . . . .  }
            : . . . . . . . . }
1682 31   40: . . . . . . .  SET {
1684 30   38: . . . . . . . . SEQUENCE {
        
1686 06    3: . . . . . . . .  OBJECT IDENTIFIER
            : . . . . . . . . . organizationalUnitName (2 5 4 11)
            : . . . . . . . . . (X.520 id-at (2 5 4))
1691 13 31: . . . . .PrintableString 'Clepsydre Demonstration Service'
            : . . . . . . . .  }
            : . . . . . . . . }
1724 31   32: . . . . . . .  SET {
1726 30   30: . . . . . . . . SEQUENCE {
1728 06    3: . . . . . . . .  OBJECT IDENTIFIER
            : . . . . . . . . . commonName (2 5 4 3)
            : . . . . . . . . . (X.520 id-at (2 5 4))
1733 13 23: . . . . . . . .  PrintableString 'Time Stamping Authority'
            : . . . . . . . .  }
            : . . . . . . . . }
            : . . . . . . .  }
            : . . . . . . . }
            : . . . . . .  }
1758 02    8: . . . . . . INTEGER
            : . . . .  00 94 88 25 72 35 27 50
            : . . . . . . }
            : . . . . .  }
            : . . . . . }
            : . . . .  }
            : . . . . }
            : . . .  }
            : . . . }
1768 30   13: . .  SEQUENCE {
1770 06    9: . . . OBJECT IDENTIFIER
            : . . .  rsaEncryption (1 2 840 113549 1 1 1)
            : . . .  (PKCS #1)
1781 05    0: . . . NULL
            : . . . }
1783 04  256: . .  OCTET STRING
            : . . . 2E 70 9F 56 5E 01 56 A9 E1 47 81 12 35 21 29 09
            : . . . 16 7A ED 45 F9 5A A2 ED E4 FE 9D 2C E4 DA 12 66
            : . . . 62 14 59 61 8B 50 7B 01 82 3D BD 7E E6 38 D0 A8
            : . . . A0 37 98 79 13 26 39 29 C6 72 20 A9 95 71 E7 53
            : . . . 7F 79 77 98 EF 23 02 4E B9 BD 90 9B AC 05 A2 70
            : . . . 8F 3A 42 36 9C 2C B0 94 B1 2B 0B 36 94 0E 78 0E
            : . . . B0 D1 09 20 63 BC FF CD 32 F1 5A D3 AB 9F 93 9C
            : . . . 5A A3 58 99 A0 28 11 E0 80 4D 4D 1E 77 04 F4 50
            : . . . . . [ Another 128 bytes skipped ]
            : . .  }
            : . . }
            : .  }
            : . }
            :  }
        
1686 06    3: . . . . . . . .  OBJECT IDENTIFIER
            : . . . . . . . . . organizationalUnitName (2 5 4 11)
            : . . . . . . . . . (X.520 id-at (2 5 4))
1691 13 31: . . . . .PrintableString 'Clepsydre Demonstration Service'
            : . . . . . . . .  }
            : . . . . . . . . }
1724 31   32: . . . . . . .  SET {
1726 30   30: . . . . . . . . SEQUENCE {
1728 06    3: . . . . . . . .  OBJECT IDENTIFIER
            : . . . . . . . . . commonName (2 5 4 3)
            : . . . . . . . . . (X.520 id-at (2 5 4))
1733 13 23: . . . . . . . .  PrintableString 'Time Stamping Authority'
            : . . . . . . . .  }
            : . . . . . . . . }
            : . . . . . . .  }
            : . . . . . . . }
            : . . . . . .  }
1758 02    8: . . . . . . INTEGER
            : . . . .  00 94 88 25 72 35 27 50
            : . . . . . . }
            : . . . . .  }
            : . . . . . }
            : . . . .  }
            : . . . . }
            : . . .  }
            : . . . }
1768 30   13: . .  SEQUENCE {
1770 06    9: . . . OBJECT IDENTIFIER
            : . . .  rsaEncryption (1 2 840 113549 1 1 1)
            : . . .  (PKCS #1)
1781 05    0: . . . NULL
            : . . . }
1783 04  256: . .  OCTET STRING
            : . . . 2E 70 9F 56 5E 01 56 A9 E1 47 81 12 35 21 29 09
            : . . . 16 7A ED 45 F9 5A A2 ED E4 FE 9D 2C E4 DA 12 66
            : . . . 62 14 59 61 8B 50 7B 01 82 3D BD 7E E6 38 D0 A8
            : . . . A0 37 98 79 13 26 39 29 C6 72 20 A9 95 71 E7 53
            : . . . 7F 79 77 98 EF 23 02 4E B9 BD 90 9B AC 05 A2 70
            : . . . 8F 3A 42 36 9C 2C B0 94 B1 2B 0B 36 94 0E 78 0E
            : . . . B0 D1 09 20 63 BC FF CD 32 F1 5A D3 AB 9F 93 9C
            : . . . 5A A3 58 99 A0 28 11 E0 80 4D 4D 1E 77 04 F4 50
            : . . . . . [ Another 128 bytes skipped ]
            : . .  }
            : . . }
            : .  }
            : . }
            :  }
        

The corresponding data in PEM format (together with a technical textual description) are:

PEM格式的相应数据(连同技术文本说明)为:

Data Validation Certificate: Request Information: Service: Certify Claim of Possession of Data - ccpd(4) Policy: EdelWeb Customer Policy Clepsydre Requester: DirName:/C=FR/L=Paris/O=EdelWeb/CN=Peter Sylvester DVCS: DirName:/C=FR/O=EdelWeb S.A./ OU=Clepsydre Demonstration Service/CN=Time Stamping Authority SerialNumber: 01780a1eca8823 MessageDigest: Algorithm: sha1 Data : 75B685AF6F89467DE80715251E45978FCD1FA566 Asserted Time: Generalized Time: 17-Apr-2000 19:16:17 (Apr 17 17:16:17 2000 GMT) Certificate: Data: Version: 3 (0x2) Serial Number: 94:88:17:17:64:37:32 Signature Algorithm: md5WithRSAEncryption Issuer: C=FR, O=EdelWeb S.A., OU=Clepsydre Demonstration Service, CN=Time Stamping Authority Validity Not Before: Jan 25 16:19:38 2000 GMT Not After : Jan 20 16:19:38 2020 GMT Subject: C=FR, O=EdelWeb S.A., OU=Clepsydre Demonstration Service, CN=Time Stamping Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:fa:c3:17:ae:eb:b7:9d:eb:ab:bd:05:7e:39:43: 6d:04:45:58:74:05:a5:cc:f3:6c:2f:8c:8e:77:7e: c2:9f:12:11:5c:7d:db:be:23:28:9a:90:d2:ab:c6: a2:ba:bd:a3:7e:99:a6:99:21:a5:d8:90:b9:cf:a7: 23:4e:a0:56:a0:c1:0a:46:89:8e:3c:91:67:37:fd: 9b:ab:49:17:fc:4a:a5:f2:e4:4c:6e:e3:6a:1c:92: 97:04:6f:7f:0c:5c:fb:74:cb:95:7e:4c:c3:58:12: e8:a9:d6:f0:dd:12:44:15:e7:8b:2e:af:51:c0:0c: 5f:a8:65:fc:47:a1:c9:98:1f:d4:e1:ea:bc:1c:1a: 27:bb:8b:56:f1:12:55:10:f4:8e:d8:9f:19:9c:1e: 81:f7:db:63:dd:88:37:3f:71:79:5b:96:e2:5f:82: d5:12:19:05:0d:e1:3d:a5:6d:66:e4:2c:1e:ed:c7: 4c:b8:df:aa:38:c8:15:6a:ae:25:7d:46:2a:07:f9:

数据验证证书:请求信息:服务:证明数据所有权-ccpd(4)策略:雪绒花客户策略Clepsydre请求者:DirName:/C=FR/L=Paris/O=EdelWeb/CN=Peter Sylvester DVCS:DirName:/C=FR/O=EdelWeb S.A./OU=Clepsydre演示服务/CN=时间戳授权序列号:01780a1eca8823消息摘要:算法:sha1数据:75B685AF6F89467DE80715251E45978FCD1FA566断言时间:广义时间:证书:数据:版本:3(0x2)序列号:94:88:17:17:64:37:32签名算法:MD5WithRSA加密发行人:C=FR,O=雪绒花S.A.,OU=Clepsydre演示服务,CN=时间戳授权有效期未在:1月25日16:19:38 2000 GMT未在:1月20日16:19:38 2020 GMT主题:C=FR,O=雪绒花有限公司,OU=Clepsydre演示服务,CN=时间戳授权主题公钥信息:公钥算法:RSA加密RSA公钥:(2048位)模数(2048位)例如:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源a5:f2:e4:4c:6e:e3:6a:1c:92:97:04:6f:7f:0c:5c:fb:74:cb:95:7e:4c:c3:58:12:例如:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:来源:38:c8:15:6a:ae:25:7d:46:2a:07:f9:

                    83:77:c4:51:ee:90:dc:05:d0:c3:f0:f1:5f:e8:d4:
                    ed:5d:34:70:91:9d:9f:08:55:7d:5b:e5:8d:5f:35:
                    59:83:4e:72:19:bb:9c:88:d1:7a:fc:23:a5:84:99:
                    b4:17:8a:4d:6c:9d:d0:a6:35:80:5f:ca:fb:24:8b:
                    54:1d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE, pathlen:0
            X509v3 Extended Key Usage: critical
                DVCS Signing
            Authority Information Access: critical
         DVCS - URI:https://clepsydre.edelweb.fr/dvcs/service-ccpd
        
                    83:77:c4:51:ee:90:dc:05:d0:c3:f0:f1:5f:e8:d4:
                    ed:5d:34:70:91:9d:9f:08:55:7d:5b:e5:8d:5f:35:
                    59:83:4e:72:19:bb:9c:88:d1:7a:fc:23:a5:84:99:
                    b4:17:8a:4d:6c:9d:d0:a6:35:80:5f:ca:fb:24:8b:
                    54:1d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE, pathlen:0
            X509v3 Extended Key Usage: critical
                DVCS Signing
            Authority Information Access: critical
         DVCS - URI:https://clepsydre.edelweb.fr/dvcs/service-ccpd
        
    Signature Algorithm: md5WithRSAEncryption
        08:da:af:5b:09:39:66:d3:be:80:1d:d7:72:b5:2c:a3:04:fb:
        46:f8:05:f5:bf:83:f3:6d:6d:32:28:1c:46:ee:0f:ea:30:61:
        8a:1e:8a:03:4e:98:81:60:1f:97:17:53:d1:54:73:3f:72:98:
        45:d3:10:9a:d3:77:b8:74:0e:9a:90:29:8e:ac:a4:eb:d2:24:
        6d:f6:21:1d:3f:52:8b:2c:e6:92:e7:52:c6:54:93:91:bc:57:
        74:21:38:39:75:cd:30:49:54:13:94:6c:fe:f1:64:38:1f:5f:
        7d:bb:e0:3e:a8:f1:28:1c:f1:d9:28:fa:32:1e:3b:48:bf:5c:
        70:21:29:ef:be:72:24:da:0d:f9:51:7a:fe:d7:f5:ff:e8:c2:
        ea:c6:4c:45:14:51:53:fd:00:d5:5b:cc:67:2a:23:94:31:9e:
        c2:90:38:9b:b0:df:f9:de:67:0c:57:5c:d7:b0:fc:f2:72:96:
        c4:d1:7a:9d:a0:e6:51:24:99:9e:89:c6:39:f9:72:7a:44:fd:
        2d:3f:bc:df:c7:25:27:94:a1:b5:7d:ba:06:75:67:1c:95:6c:
        bd:2c:74:41:3e:cd:cd:39:5c:2e:9c:c3:c3:09:e3:79:d5:eb:
        85:e8:f1:72:29:80:f6:c6:6e:61:1b:58:fc:87:3e:d9:e1:53:
        10:e0:b1:05
        
    Signature Algorithm: md5WithRSAEncryption
        08:da:af:5b:09:39:66:d3:be:80:1d:d7:72:b5:2c:a3:04:fb:
        46:f8:05:f5:bf:83:f3:6d:6d:32:28:1c:46:ee:0f:ea:30:61:
        8a:1e:8a:03:4e:98:81:60:1f:97:17:53:d1:54:73:3f:72:98:
        45:d3:10:9a:d3:77:b8:74:0e:9a:90:29:8e:ac:a4:eb:d2:24:
        6d:f6:21:1d:3f:52:8b:2c:e6:92:e7:52:c6:54:93:91:bc:57:
        74:21:38:39:75:cd:30:49:54:13:94:6c:fe:f1:64:38:1f:5f:
        7d:bb:e0:3e:a8:f1:28:1c:f1:d9:28:fa:32:1e:3b:48:bf:5c:
        70:21:29:ef:be:72:24:da:0d:f9:51:7a:fe:d7:f5:ff:e8:c2:
        ea:c6:4c:45:14:51:53:fd:00:d5:5b:cc:67:2a:23:94:31:9e:
        c2:90:38:9b:b0:df:f9:de:67:0c:57:5c:d7:b0:fc:f2:72:96:
        c4:d1:7a:9d:a0:e6:51:24:99:9e:89:c6:39:f9:72:7a:44:fd:
        2d:3f:bc:df:c7:25:27:94:a1:b5:7d:ba:06:75:67:1c:95:6c:
        bd:2c:74:41:3e:cd:cd:39:5c:2e:9c:c3:c3:09:e3:79:d5:eb:
        85:e8:f1:72:29:80:f6:c6:6e:61:1b:58:fc:87:3e:d9:e1:53:
        10:e0:b1:05
        
-----BEGIN PKCS7-----
MIIH9wYJKoZIhvcNAQcCoIIH6DCCB+QCAQMxCzAJBgUrDgMCGgUAMIIBLQYLKoZI
hvcNAQkQAQigggEcBIIBGDCCARQwgdYKAQSgTaRLMEkxCzAJBgNVBAYTAkZSMQ4w
DAYDVQQHEwVQYXJpczEQMA4GA1UEChMHRWRlbFdlYjEYMBYGA1UEAxMPUGV0ZXIg
U3lsdmVzdGVyoQwGCisGAQQBqT0BAgGidKRyMHAxCzAJBgNVBAYTAkZSMRUwEwYD
VQQKEwxFZGVsV2ViIFMuQS4xKDAmBgNVBAsTH0NsZXBzeWRyZSBEZW1vbnN0cmF0
aW9uIFNlcnZpY2UxIDAeBgNVBAMTF1RpbWUgU3RhbXBpbmcgQXV0aG9yaXR5MB8w
BwYFKw4DAhoEFHW2ha9viUZ96AcVJR5Fl4/NH6VmAgcBeAoeyogjGA8yMDAwMDQx
NzE3MTYxN1qgggPgMIID3DCCAsSgAwIBAgIIAJSIFxdkNzIwDQYJKoZIhvcNAQEE
BQAwcDELMAkGA1UEBhMCRlIxFTATBgNVBAoTDEVkZWxXZWIgUy5BLjEoMCYGA1UE
CxMfQ2xlcHN5ZHJlIERlbW9uc3RyYXRpb24gU2VydmljZTEgMB4GA1UEAxMXVGlt
ZSBTdGFtcGluZyBBdXRob3JpdHkwHhcNMDAwMTI1MTYxOTM4WhcNMjAwMTIwMTYx
OTM4WjBwMQswCQYDVQQGEwJGUjEVMBMGA1UEChMMRWRlbFdlYiBTLkEuMSgwJgYD
VQQLEx9DbGVwc3lkcmUgRGVtb25zdHJhdGlvbiBTZXJ2aWNlMSAwHgYDVQQDExdU
aW1lIFN0YW1waW5nIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAPrDF67rt53rq70FfjlDbQRFWHQFpczzbC+Mjnd+wp8SEVx9274jKJqQ
0qvGorq9o36ZppkhpdiQuc+nI06gVqDBCkaJjjyRZzf9m6tJF/xKpfLkTG7jahyS
        
-----BEGIN PKCS7-----
MIIH9wYJKoZIhvcNAQcCoIIH6DCCB+QCAQMxCzAJBgUrDgMCGgUAMIIBLQYLKoZI
hvcNAQkQAQigggEcBIIBGDCCARQwgdYKAQSgTaRLMEkxCzAJBgNVBAYTAkZSMQ4w
DAYDVQQHEwVQYXJpczEQMA4GA1UEChMHRWRlbFdlYjEYMBYGA1UEAxMPUGV0ZXIg
U3lsdmVzdGVyoQwGCisGAQQBqT0BAgGidKRyMHAxCzAJBgNVBAYTAkZSMRUwEwYD
VQQKEwxFZGVsV2ViIFMuQS4xKDAmBgNVBAsTH0NsZXBzeWRyZSBEZW1vbnN0cmF0
aW9uIFNlcnZpY2UxIDAeBgNVBAMTF1RpbWUgU3RhbXBpbmcgQXV0aG9yaXR5MB8w
BwYFKw4DAhoEFHW2ha9viUZ96AcVJR5Fl4/NH6VmAgcBeAoeyogjGA8yMDAwMDQx
NzE3MTYxN1qgggPgMIID3DCCAsSgAwIBAgIIAJSIFxdkNzIwDQYJKoZIhvcNAQEE
BQAwcDELMAkGA1UEBhMCRlIxFTATBgNVBAoTDEVkZWxXZWIgUy5BLjEoMCYGA1UE
CxMfQ2xlcHN5ZHJlIERlbW9uc3RyYXRpb24gU2VydmljZTEgMB4GA1UEAxMXVGlt
ZSBTdGFtcGluZyBBdXRob3JpdHkwHhcNMDAwMTI1MTYxOTM4WhcNMjAwMTIwMTYx
OTM4WjBwMQswCQYDVQQGEwJGUjEVMBMGA1UEChMMRWRlbFdlYiBTLkEuMSgwJgYD
VQQLEx9DbGVwc3lkcmUgRGVtb25zdHJhdGlvbiBTZXJ2aWNlMSAwHgYDVQQDExdU
aW1lIFN0YW1waW5nIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAPrDF67rt53rq70FfjlDbQRFWHQFpczzbC+Mjnd+wp8SEVx9274jKJqQ
0qvGorq9o36ZppkhpdiQuc+nI06gVqDBCkaJjjyRZzf9m6tJF/xKpfLkTG7jahyS
        
lwRvfwxc+3TLlX5Mw1gS6KnW8N0SRBXniy6vUcAMX6hl/EehyZgf1OHqvBwaJ7uL
VvESVRD0jtifGZwegffbY92INz9xeVuW4l+C1RIZBQ3hPaVtZuQsHu3HTLjfqjjI
FWquJX1GKgf5g3fEUe6Q3AXQw/DxX+jU7V00cJGdnwhVfVvljV81WYNOchm7nIjR
evwjpYSZtBeKTWyd0KY1gF/K+ySLVB0CAwEAAaN6MHgwDwYDVR0TBAgwBgEB/wIB
ADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCjBNBggrBgEFBQcBAQEB/wQ+MDwwOgYI
KwYBBQUHMASGLmh0dHBzOi8vY2xlcHN5ZHJlLmVkZWx3ZWIuZnIvZHZjcy9zZXJ2
aWNlLWNjcGQwDQYJKoZIhvcNAQEEBQADggEBAAjar1sJOWbTvoAd13K1LKME+0b4
BfW/g/NtbTIoHEbuD+owYYoeigNOmIFgH5cXU9FUcz9ymEXTEJrTd7h0DpqQKY6s
pOvSJG32IR0/Uoss5pLnUsZUk5G8V3QhODl1zTBJVBOUbP7xZDgfX3274D6o8Sgc
8dko+jIeO0i/XHAhKe++ciTaDflRev7X9f/owurGTEUUUVP9ANVbzGcqI5QxnsKQ
OJuw3/neZwxXXNew/PJylsTRep2g5lEkmZ6Jxjn5cnpE/S0/vN/HJSeUobV9ugZ1
ZxyVbL0sdEE+zc05XC6cw8MJ43nV64Xo8XIpgPbGbmEbWPyHPtnhUxDgsQUxggK7
MIICtwIBATB8MHAxCzAJBgNVBAYTAkZSMRUwEwYDVQQKEwxFZGVsV2ViIFMuQS4x
KDAmBgNVBAsTH0NsZXBzeWRyZSBEZW1vbnN0cmF0aW9uIFNlcnZpY2UxIDAeBgNV
BAMTF1RpbWUgU3RhbXBpbmcgQXV0aG9yaXR5AggAlIglcjUnUDAJBgUrDgMCGgUA
oIIBFDAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQgwHAYJKoZIhvcNAQkFMQ8X
DTAwMDQxNzE3MTYxOVowIwYJKoZIhvcNAQkEMRYEFGhQ3JAgLsLwVRV/d6mmDDTM
Ewb6MIGyBgsqhkiG9w0BCRACDDGBojCBnzCBnDCBmQQUXPEY80rKtGfW2Of4O0rZ
ejKlQ6UwgYAwdKRyMHAxCzAJBgNVBAYTAkZSMRUwEwYDVQQKEwxFZGVsV2ViIFMu
QS4xKDAmBgNVBAsTH0NsZXBzeWRyZSBEZW1vbnN0cmF0aW9uIFNlcnZpY2UxIDAe
BgNVBAMTF1RpbWUgU3RhbXBpbmcgQXV0aG9yaXR5AggAlIglcjUnUDANBgkqhkiG
9w0BAQEFAASCAQAucJ9WXgFWqeFHgRI1ISkJFnrtRflaou3k/p0s5NoSZmIUWWGL
UHsBgj29fuY40KigN5h5EyY5KcZyIKmVcedTf3l3mO8jAk65vZCbrAWicI86Qjac
LLCUsSsLNpQOeA6w0QkgY7z/zTLxWtOrn5OcWqNYmaAoEeCATU0edwT0UAfVi1Sg
IzL/ppziurjbVUfJyLoH75AUSKi2xXzVqSB0HFbvjxuz/IdtgfHUbxqHMJJHaeB5
4LwQmc9NNkw2A1Fy0VumHi2G8R8K6L/rOPnOGuywj1GuKjtGhL9NjJ/uH+/FNaNj
vjjAA3w6XrjPOxgQiNu7T3j2++QcjdT4++tQ
-----END PKCS7-----
        
lwRvfwxc+3TLlX5Mw1gS6KnW8N0SRBXniy6vUcAMX6hl/EehyZgf1OHqvBwaJ7uL
VvESVRD0jtifGZwegffbY92INz9xeVuW4l+C1RIZBQ3hPaVtZuQsHu3HTLjfqjjI
FWquJX1GKgf5g3fEUe6Q3AXQw/DxX+jU7V00cJGdnwhVfVvljV81WYNOchm7nIjR
evwjpYSZtBeKTWyd0KY1gF/K+ySLVB0CAwEAAaN6MHgwDwYDVR0TBAgwBgEB/wIB
ADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCjBNBggrBgEFBQcBAQEB/wQ+MDwwOgYI
KwYBBQUHMASGLmh0dHBzOi8vY2xlcHN5ZHJlLmVkZWx3ZWIuZnIvZHZjcy9zZXJ2
aWNlLWNjcGQwDQYJKoZIhvcNAQEEBQADggEBAAjar1sJOWbTvoAd13K1LKME+0b4
BfW/g/NtbTIoHEbuD+owYYoeigNOmIFgH5cXU9FUcz9ymEXTEJrTd7h0DpqQKY6s
pOvSJG32IR0/Uoss5pLnUsZUk5G8V3QhODl1zTBJVBOUbP7xZDgfX3274D6o8Sgc
8dko+jIeO0i/XHAhKe++ciTaDflRev7X9f/owurGTEUUUVP9ANVbzGcqI5QxnsKQ
OJuw3/neZwxXXNew/PJylsTRep2g5lEkmZ6Jxjn5cnpE/S0/vN/HJSeUobV9ugZ1
ZxyVbL0sdEE+zc05XC6cw8MJ43nV64Xo8XIpgPbGbmEbWPyHPtnhUxDgsQUxggK7
MIICtwIBATB8MHAxCzAJBgNVBAYTAkZSMRUwEwYDVQQKEwxFZGVsV2ViIFMuQS4x
KDAmBgNVBAsTH0NsZXBzeWRyZSBEZW1vbnN0cmF0aW9uIFNlcnZpY2UxIDAeBgNV
BAMTF1RpbWUgU3RhbXBpbmcgQXV0aG9yaXR5AggAlIglcjUnUDAJBgUrDgMCGgUA
oIIBFDAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQgwHAYJKoZIhvcNAQkFMQ8X
DTAwMDQxNzE3MTYxOVowIwYJKoZIhvcNAQkEMRYEFGhQ3JAgLsLwVRV/d6mmDDTM
Ewb6MIGyBgsqhkiG9w0BCRACDDGBojCBnzCBnDCBmQQUXPEY80rKtGfW2Of4O0rZ
ejKlQ6UwgYAwdKRyMHAxCzAJBgNVBAYTAkZSMRUwEwYDVQQKEwxFZGVsV2ViIFMu
QS4xKDAmBgNVBAsTH0NsZXBzeWRyZSBEZW1vbnN0cmF0aW9uIFNlcnZpY2UxIDAe
BgNVBAMTF1RpbWUgU3RhbXBpbmcgQXV0aG9yaXR5AggAlIglcjUnUDANBgkqhkiG
9w0BAQEFAASCAQAucJ9WXgFWqeFHgRI1ISkJFnrtRflaou3k/p0s5NoSZmIUWWGL
UHsBgj29fuY40KigN5h5EyY5KcZyIKmVcedTf3l3mO8jAk65vZCbrAWicI86Qjac
LLCUsSsLNpQOeA6w0QkgY7z/zTLxWtOrn5OcWqNYmaAoEeCATU0edwT0UAfVi1Sg
IzL/ppziurjbVUfJyLoH75AUSKi2xXzVqSB0HFbvjxuz/IdtgfHUbxqHMJJHaeB5
4LwQmc9NNkw2A1Fy0VumHi2G8R8K6L/rOPnOGuywj1GuKjtGhL9NjJ/uH+/FNaNj
vjjAA3w6XrjPOxgQiNu7T3j2++QcjdT4++tQ
-----END PKCS7-----
        

Appendix G - Acknowledgements

附录G-确认书

This document is based on two initial works from Robert Zuccherato and Carlisle Adams, both at Entrust Technologies, for time stamping and for notary and data certification services.

本文件基于委托技术公司Robert Zuccherato和Carlisle Adams的两份初始工作,用于时间戳以及公证和数据认证服务。

Thanks to Denis Pinkas, Bull and Bruno Salgueiro, SIBS for valuable comments.

感谢Denis Pinkas、Bull和Bruno Salgueiro,SIBS的宝贵评论。

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2001). All Rights Reserved.

版权所有(C)互联网协会(2001年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。