Previous Next
739
SECTION 8.7 Digital Signatures
At minimum, it must include the signer’s X.509 signing certificate. This certifi-
cate is used to verify the signature value in Contents.
The PKCS#7 object may optionally contain the following attributes:
• Time stamp information as an unsigned attribute (PDF 1.6): The timestamp to-
ken must conform to RFC 3161 and must be computed and embedded into the
PKCS#7 object as described in Appendix A of RFC 3161.
• Revocation information as an signed attribute (PDF 1.6): This attribute can in-
clude all the revocation information that is necessary to carry out revocation
checks for the signer's certificate and its issuer certificates.
• One or more issuer certificates from the signer’s trust chain (PDF 1.6); see im-
plementation note 146 in Appendix H.
• One or more RFC 3281 attribute certificates associated with the signer certifi-
cate (PDF 1.7).
Revocation Information
The following object identifier identifies Adobe's revocation information at-
tribute:
adbe-revocationInfoArchival OBJECT IDENTIFIER ::=
{ adbe(1.2.840.113583) acrobat(1) security(1) 8 }
The value of the revocation information attribute can include any of the following
data types:
• Certificate Revocation Lists (CRLs), described in RFC 3280 (see the Bibliogra-
phy): CRLs are generally large and therefore not recommended to be embed-
ded in the PKCS#7 object.
• Online Certificate Status Protocol (OCSP) Responses, described in RFC 2560,
X.509 Internet Public Key Infrastructure Online Certificate Status Protocol—
OCSP (see the Bibliography): These are generally small and constant in size and
are the suggested data type to be included in the PKCS#7 object.
• Custom revocation information: The format is not prescribed by this specifica-
tion, other than that it be encoded as an OCTET STRING. The application should
be able to determine the type of data contained within the OCTET STRING by
looking at the associated OBJECT IDENTIFIER.
Previous Next