9. DVCS レスポンス English
この章は、検証の結果と認証リクエストを示すために DVCS によって作成されたデータ 構造 を記述する。
DVCS レスポンスの構造は、DVCS によって、データ検証と認証(certification)リクエストの処理の結果として生成される。
(準備中)
データ検証レスポンスは、
a type of id-ct-DVCSResponseData signalling a DVCSResponse 構造
を伴った [RFC2630] ContentInfo を含みます。id-ct-DVCSResponseData OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 8 }
このデータは、DVCS の認証、または、リクエストのインテグリティと守秘性を提供するために、[RFC2630] の構造体でカプセル化することができる(MAY)。本書は、[RFC2630] の SignedData 構造体の用法を仕様とする。
The contenttype indicated in the eContentType of the encapContentInfo は、
is of type id-ct-DVCSResponseData, signalling a DVCSResponse as eContent of the encapContentInfo (carried as an octet string)。
DVCS は、
a key for which a corresponding certificate indicates in an extendedKeyUsage the purpose of DVCS signing
を使う必要がある(SHOULD)。In a critical situation when a DVCS cannot produce a valid signature
(if the DVCS's signing key is known to be compromised, for example),
the DVCSResponse, containing the error notification,
MUST be generated as a signedData with no signerInfo attached。
署名されていない DVCSResponse を受け取ることは、
MUST be treated by the clients as a critical and fatal error,
and the content of the message should not be implicitly trusted。有効なレスポンスは、次の 1つを含むことができる。:
- DVC (Data Validation Certificate),
delivering データ 検証操作の結果,
performed by the DVCS。
- エラー通知。これは、
may happen when a リクエスト fails due to a parsing error, requester authentication failure,
or anything else that prevented the DVCS from executing the リクエスト。次のタイプが使われる。:
DVCSResponse ::= CHOICE {
dvCertInfo DVCSCertInfo ,
dvErrorNote [0] DVCSErrorNotice }
(準備中)
DVC (Data Validation Certificate)は、
is a signedData object containing a DVCSResponse with a 'dvCertInfo' choice。DVCSCertInfo::= SEQUENCE {
version Integer DEFAULT 1 ,
dvReqInfo DVCSRequestInformation,
messageImprint DigestInfo,
serialNumber Integer,
responseTime DVCSTime,
dvStatus [0] PKIStatusInfo OPTIONAL,
policy [1] PolicyInformation OPTIONAL,
reqSignature [2] SignerInfos OPTIONAL,
certs [3] SEQUENCE SIZE (1..MAX) OF TargetEtcChain OPTIONAL,
extensions Extensions OPTIONAL }DVCSCertInfo 構造は、
is returned as a result of successful execution of データ検証サービス。
It contains the results of the データ 検証,
a reference to the original リクエスト,
and other parameters.
Please note that 'successful execution' does not necessarily mean that
「検証自体は、成功した」
- a DVCSCertInfo may contain both the 'valid' and 'invalid' results。DVCS は、DVCSCertInfo を次のように作成する。:
- 'version' フィールドは、
is never present in this version of the protocol。The 'dvReqInfo' is essentially a copy of the 'requestInformation' field of the corresponding リクエスト。
The DVCS MAY modify the fields 'dvcs', 'requester', 'dataLocations',
and 'nonce' of the ReqInfo 構造,
例: if the リクエスト was processed by a chain of DVCS,
if the リクエスト needs to indicate DVCS,
or to indicate where to find a copy of the データ from a 'vpd' リクエスト。
The only modification allowed to a 'nonce' is the inclusion of a new field if it was not present,
or to concatenate other データ to the end (right) of an existing value。
- 'DVCSCertInfo.messageImprint' フィールドは、下記のように、対応するリクエストの'data' フィールドから算出される。:
For the 'certs' choice (the 'vpkc' service),
the digest is computed over the DER encoded データ value。
For a 'message' choice (the 'vsd' and the 'vpd' services) the digest is computed over the value octets (not including tag and length octets) of the OCTET STRING。
It is up to the DVCS to choose an appropriate digest algorithm。For a 'messageImprint' choice (the 'vcpd' service),
the 'messageImprint' of the DVCSRequest is copied as is。
- 'DVCSCertInfo.serialNumber' フィールドは、
contains a unique identifier of the リクエスト。
- The field 'responseTime' indicates a time value associated with the response。
The value MAY be a locally generated one,
or a signed TimeStampToken (TST) or DVC obtained from an external service。
Before using a value obtained from an external service,
the DVCS must validate it according the rules of the external service。
- The field 'DVCSCertInfo.dvStatus' は、
a collective result of the 検証
を反映する。このフィールドが無い場合、
it is an equivalent of the SUCCESS status。For a vkpc,
if the status field is present and set to SUCCESS,
it indicates that all certificates were successfully validated。
If it is present and set to FAILED,
it indicates that all or some of the certificates failed 検証,
and the specific status of the 'certs' should be investigated,
at least one of the elements of the 'certs' TargetEtcChain 構造s MUST have a failure status。If the field 'dvStatus' does not indicate success ('granted' or 'granted with mods') the element 'failInfo' MAY indicate the reason for the failure.
Note that the field 'certs' MAY contain additional information about verification failures。A failure of the verification of one of the signatures does not necessarily result in failing to validate a signed document.
For example, as long as a sufficient number of signature was successfully verified,
a DVC with status 'grantedWithMods' may be produced。
A DVC with status 'granted' MUST only be produced if all signatures verified successfully。The field MUST be present,
and the status must be set to WAITING, if no final response can be immediately available。
It is assumed that the DVCS provides an additional final status some time later。
The details of the necessary procedures are part of the DVCS policy。失敗の場合、
the requester can further investigate the cause of the failure,
by looking into the TargetEtcChain fields。
'CertEtctoken.pkistatus' fields will indicate which item(s) has failed or succeeded the 検証 and for what reason。
- The 'DVCSCertInfo.policy' field indicates the policy under which the DVCS operates。
- If present,
'DVCSCertInfo.reqSignature' MUST be the same value as the signerInfos field of the corresponding リクエスト。
It is a policy decision whether to include this field。
- 'DVCSCertInfo.certs' フィールドは、DVCS によってなされた検証の結果を含む。
For the cpkc service,
each element contains a copy of a corresponding field of the リクエスト with the selected subset in the targetAndChain subfield and the results of the verifications,
and additional certificates or certificate references,
例: from certification authorities or as described in appendix C.3。
For a vsd service,
each element contains the result of the 検証 of one signature of the signed document to be validated。In case of a global status of WAITING,
the DVCS MAY choose to return an individual status of waiting in some of the 'certs' field,
or not to return such a TargetEtcChain at all。The 'acceptablePolicySet' sequence は、
the policies and mappings
that were processed during X.509 公開鍵証明書パス検証
を示す。PolicyMappingsSyntax は、[RFC2459] において規定されている。
- 'extensions' フィールドは、追加的な情報をクライアントに返すために使うことができる(MAY)。
Extensions MAY be marked critical or not in order to indicate whether the client MUST understand them。
本書は、extensions を規定しない。
(準備中)
DVCS Error Notification は、
is a CMS signedData object containing a DVCSResponse with a 'dvErrorNote' choice。DVCSErrorNotice ::= SEQUENCE { transactionStatus PKIStatusInfo , transactionIdentifier GeneralName OPTIONAL }
PKIStatusInfo は、[RFC2511] において定義されている。
For the purposes of communicating the DVCSErrorNotice,
the following subset of PKIFailureInfo values is used。:PKIFailureInfo ::= BITSTRING {
badRequest (2),
-- transaction not permitted or supported
badTime (3),
-- messageTime was not sufficiently close to the system time, as defined by local policy
badDataFormat (5),
-- the データ submitted has the wrong format
wrongAuthority (6),
-- the DVCS indicated in the リクエスト is different from the one creating the response token
incorrectData (7)
-- 要求者のデータ(すなわち、署名)が不正。DVCSErrorNotice において、PKIStatusInfo の PKIStatus フィールドは、REJECTED に設定されなければならない。
The 'statusString' field of PKIStatusInfo は、
can be used to accommodate extra text, such as a reason for the failure,
例えば、"I have gone out of service"。
DVCS は、
initializes the 'DVCSErrorNotice.transactionIdentifier' with a copy of the 'DVCSRequest.transactionIdentifier' field of the corresponding リクエスト。In certain circumstances,
a DVCS may not be able to produce a valid response to a リクエスト
(例えば、if it is unable to compute signatures for a period of time)。
このような状況において、DVCS は、
MAY create a response with an DVCSErrorNotice but no signature。DVCS クライアントは、署名されていないレスポンスを信頼してはいけない(SHOULD NOT)。 DVCS クライアントは、 通信チャネルがサーバー認証を提供する場合、署名されていないレスポンスを信頼できる(MAY)。 (例: TLS [RFC2246] によって規定されているサービス。)