Information Technology Reference
In-Depth Information
{
ADMHTResponse ::= SEQUENCE
responseStatus
MHTResponseStatus,
}
basicResponse
[0] EXPLICIT BasicADMHTResponse OPTIONAL
{
BasicADMHTResponse ::= SEQUENCE
signedTreeDigest
SignedTreeDigest,
singleResponse
SingleADMHTResponse
}
MHTResponseStatus ::= ENUMERATED
{
successful (0), --Response has valid confirmations
malformedRequest (1), --Illegal confirmation request
internalError (2), --Internal error in issuer
tryLater (3), --Try again later
--(4) and (5) are not used
unauthorized (6)
}
--Request unauthorized
SignedTreeDigest ::= SEQUENCE
{
tbsTreeDigest
TBSTreeDigest,
}
signature
OCTET STRING
--SHA1 with RSA is used
{
TBSTreeDigest ::= SEQUENCE
issuer
Name,
validity
Validity,
rootHash
[0] EXPLICIT OCTET STRING OPTIONAL,
}
extensions
[1] EXPLICIT Extensions OPTIONAL
{
SingleADMHTResponse ::= SEQUENCE
minorAdjacent
TreePath,
}
majorAdjacent
[0] EXPLICIT TreePath OPTIONAL
--Only needed for not
--revoked responses
{
TreePath ::= SEQUENCE
adjacentID
CertID,
status
RevokedInfo,
}
firstPathStep
PathStep
PathStep ::= SEQUENCE
{
--SHA1 is used
leftHash
[0] EXPLICIT OCTET STRING OPTIONAL,
middleHash
[1] EXPLICIT OCTET STRING OPTIONAL,
rightHash
[2] EXPLICIT OCTET STRING OPTIONAL,
nextPathStep
[3] EXPLICIT PathStep OPTIONAL
}
{
RevokedInfo ::= SEQUENCE
revocationTime
GeneralizedTime,
}
revocationReason
[0] EXPLICIT CRLReason OPTIONAL
Fig. 5.
ASN1 description of the AD-MHT Response
6 Response Verification
In this Section, we expose the procedure that an End Entity must follow in order
to verify a response.
First of all, the client must check that each
TreePath
included in the response
is correct, that is, the
rootHash
computed from the
P
ath matches the
rootHash
included in the
igest. If a target certificate is not revoked, this is not enough,
the client also needs assure that the
TreePath
s provided belong to real adjacent
D
