VALIDATION OF LONG-TERM SIGNATURES: About Revocation Checking of Certificates in the Context of long-term Signatures

摘要

The current practice of digital signature creation is simple. However, signature verification is much harder. This especially holds for long-term signatures, signatures that should remain verifiable over years. After the signing certificate expired, it is hard to find out if the certificate was valid at the time the signature was created. Current revocation checking mechanisms, like CRLs and OCSP, may not provide the status of certificates which are no longer valid. This is one reason why many of the current signature verification systems cannot verify signatures after the signing certificate expired. There are several approaches for coping with these problems: attach all data that is required for validation to the signature right after signature creation, let the verification software collect and archive all validation data that it needs, or use advanced services for certificate status checking. Currently, there are hardly any advanced services available. However, this paper shows that it is not hard to design such services.