What is a recommended way of handling CRL
s in long-term electronic signatures (specifically the CAdES-A
)?
The problem I see is in that CRL
s are not protected against modification (they are plain text, not signed) and not even mandatory in CAdES-T
or CAdES-A
.
As such, they can be forged, and such forgery cannot be easily detected, if the used time-stamping authority (TSA
) is no longer active. I cannot figure out a way of handling CRL
s in a way that prevents any doubts about long-term validity of a documents time-stamped with CAdES-A
.
The same problem I have with verification of trustworthiness of TSA
s themselves, if they no longer exist.
A typical scenario that worries me is this:
An attacker may use his own (=untrusted) time-stamping authority to forge a (
CAdES-T
orCAdES-A
) time-stamp of a document. No one will now able to verify whether this now unreachableTSA
was trusted or not at the time the time-stamp seems to be issued. To create a semblance of credibility, the attacker may update the time-stamp with a valid time-stamp of a trustedTSA
, and wait for several years. The time-stamp update is possible due to the fact that time-stamps may be issued automatically without verification of credibility of previous time-stamps.On a similar principle, an attacker can use a revoked certificate of a trusted time-stamp authority. He may also attach a modified
CRL
from which he deletes the S/N of the used time-stamping certificate (which is possible as theCRL
is not signed). This way, the attacker may create a series of time-stamps from differentTSA
s. It's possible that after 10 years at least one of theTSA
s won't exist, and no one will be able to receive its correct unmodifiedCRL
to verify validity of the time-stamp.
Unfortunately, long-term signature specifications do not treat these problems in detail, or rather they don't mention them at all. For instance in rfc5126, especially sections C.4.1.1 and C.4.3.
Edit:
(Another sub-question has been moved here.)