0

Latest ETSI standard CAdES, XAdES and PAdES require for baseline profile LTA to fulfill previous LT, T and B levels. Summarizing,the conformance requirements are:

  • B : Base signature with content-type, signing-time and signing-certificate
  • T: Signature timestamp
  • LT: Certificate and revocation values
  • LTA: Archive timestamp

More or less are simplifications over the previous BES, EPES, T, XL, and A levels, where the requirement is also present CAdES - A

Applying a timestamp is an expensive process in time and money, because it is usually performed by an external trusted CA

Question: What is the reason for applying two time stamps when building an LTA directly, bearing in mind that the last time stamp protects all content? Why -T timestamp is not optional?

pedrofb
  • 270
  • 1
  • 9

1 Answers1

1

As you said, the second timestamp protects all content. It is there to specify that the revocation data was valid at a certain time, due to the archiving part of this type of signature. If the revocation values were present without the second timestamp, there would be no way to prove their validity at the time of the signature.

Using CADES-A, the first timestamp theorically could be removed, but as you show it, CADES-A is over CADES-C, which is over CADES-BES. The standards are over each other and each type of signature has to match the standard. For example, CADES-LTA (Long Time Archiving) would be over CADES-A, etc.

zr_ifrit
  • 147
  • 6
  • `Using CADES-A, the first timestamp theorically could be removed` It is also my impression, but since the CADES standard allows variations (X-LONG type 1, type 2, etc), I wonder why it is not a exception for this case to avoid the need of the -T timestamp when building a -A level directly. – pedrofb Jan 11 '17 at 09:18