问题
I m working on one project about certificates and digital signatures in Java, but i cant understand following situation. Certificates of sender and receiver of document was valid when signature is created. But in time, when receiver received document, certificate of sender had expired. Is that valid situation, so receiver can normally verify signature, or he cant?
One more question. For what is used Non-repudiation key usage?
回答1:
A digital signature will remain cryptographically correct even if the certificate has expired, but verification of the signature will be invalid.
An electronic certificate has a period of use established by the policy of the Certification Authority, beyond which the use of the private key is not considered safe.
To preserve the validity of the signature beyond the expiration time, a time stamp or revocation evidences ( CRLs, OCSP responses) can be incorporated on the signature, in such a way that it is possible to verify the signature without having to contact the CA in the future.
One more question. For what is used Non-repudiation key usage?
Please, read this X509: What's the difference between digital signature and non-repudiation
回答2:
We need to have some clear concept here:
1-A certificate can expired or be revoked at any time, so all documents with it signature will be invalid. All certificates have an expiring date.
1.1 - To avoid this situation normally you have to sign with the standard XADES-T and a TSA (Time Stamp Authority) has to validate and re-sign the file. This will give you longevity avoiding the first problem -> Ending on a AdES-A.
That was just a clue, the process has much more theory with it.
Note: A time stamp is not just enough, it can be included in a normal signature, it has to be the TSA who set this time Stamp certificating that your signature was valid at that moment and he endorse it.
Answering your question: Yes, it is a valid and normal situation, and you can't do anything about it (on the standard way), it is no longer valid. Now you can work on avoiding this to happen again with a TSA( of trust, in spain we have @Firma from the Government) and re-stamping your valid documents.
For what is used Non-repudiation key usage? This is used so you can't say that you didn't sign the document, once is signed it is complete valid and legal. To accomplish that, you have to sign with a standard certificate (Given by an Oficial Entity) containing your most important information,normally this is given presencialy (at least in Spain), you have to go to a concrete place with your accreditation document (DNI or National Identity Number) to get your certificate.
Spanish Links that could help: https://www.sede.fnmt.gob.es/certificados/persona-fisica/obtener-certificado-software
http://firmaelectronica.gob.es/Home/Ciudadanos/Aplicaciones-Firma.html#arroba_firma
Hope this helps. Thanks.
回答3:
A certificate can expire, or can be revoked, between it is "used" and it is "validated". To avoid this, you can validate it immediately after it was used. When signing PDF files, this is part of PAdES LTV specification.
来源:https://stackoverflow.com/questions/47875624/certificate-of-sender-expired-before-signature-verify