SECTION 8.7
739
Digital Signatures
At minimum, it must include the signer’s X.509 signing certificate. This certifi-
cate is used to verify the signature value in
Contents
.
The PKCS#7 object may optionally contain the following attributes:
•
Time stamp information as an unsigned attribute (PDF
1.6):
The timestamp to-
ken must conform to RFC 3161 and must be computed and embedded into the
PKCS#7 object as described in Appendix A of RFC 3161.
•
Revocation information as an signed attribute (PDF
1.6):
This attribute can in-
clude all the revocation information that is necessary to carry out revocation
checks for the signer's certificate and its issuer certificates.
•
One or more issuer certificates from the signer’s trust chain (PDF
1.6);
see im-
•
One or more RFC 3281 attribute certificates associated with the signer certifi-
cate (PDF
1.7).
Revocation Information
The following object identifier identifies Adobe's revocation information at-
tribute:
adbe-revocationInfoArchival OBJECT IDENTIFIER ::=
{ adbe(1.2.840.113583) acrobat(1) security(1) 8 }
The value of the revocation information attribute can include any of the following
data types:
•
Certificate Revocation Lists (CRLs), described in RFC 3280 (see the Bibliogra-
ded in the PKCS#7 object.
•
Online Certificate Status Protocol (OCSP) Responses, described in RFC 2560,
X.509 Internet Public Key Infrastructure Online Certificate Status Protocol—
OCSP
(see the Bibliography): These are generally small and constant in size and
are the suggested data type to be included in the PKCS#7 object.
•
Custom revocation information: The format is not prescribed by this specifica-
tion, other than that it be encoded as an
OCTET STRING
. The application should
be able to determine the type of data contained within the
OCTET STRING
by
looking at the associated
OBJECT IDENTIFIER
.