Re: [TSP] misc comments

[Denis Pinkas <Denis.Pinkas@xxxxxxxx>]

Thomas,

> rfc3161 says:
>   
> "The messageImprint field SHOULD contain the hash of the datum 
>  to be time-stamped."
>  
> This is a little puzzling: the messageImprint field is mandatory 
> and actually contains what will be (possibly) time-stamped.  So I 
> would rephrase it as:
> "The messageImprint contains the hash of the datum that SHOULD be 
>  time-stamped"

There is no means for the TSU to verify that the hash that is sent does 
correspond to the hash of the datum to be time-stamped. Hence why a SHOULD 
has been used.

> rfc3161 says:
>
> "The reqPolicy field, if included, indicates the TSA policy under
>  which the TimeStampToken SHOULD be provided."
>
> but in a different paragraph it is said - so mixing MUST and SHOULD:
>
> "If a similar field was present in the TimeStampReq, then it 
>  MUST have the same value, otherwise an error unacceptedPolicy) 
>  MUST be returned" 

What happens if the requested policy is not supported ? Hence why in that 
case a TSU will report an error.

> rfc3161 says:
>
> "The messageImprint MUST have the same value as the similar field in
>  TimeStampReq, provided that the size of the hash value matches the
>  expected size of the hash algorithm identified in hashAlgorithm."
>
> should be added also that: "the hash algorithm has been recognized 
> by the TSA as acceptable"

We already have text covering that aspect:

  "If the TSA does not recognize the hash
   algorithm or knows that the hash algorithm is weak (a decision left
   to the discretion of each individual TSA), then the TSA SHOULD refuse
   to provide the time-stamp token by returning a pkiStatusInfo of
   'bad_alg'."

Denis




> Thomas