A signer from a small agency test-signed some documents for OFR yesterday. The tool gave her the following progress report:
2017/07/05 14:23:52 - Applying Signature
2017/07/05 14:23:52 - Detecting card reader.
2017/07/05 14:23:53 - Verifying card is inserted into the reader.
2017/07/05 14:23:53 - Found reader with card present.
2017/07/05 14:23:53 - Broadcom Corp Contacted SmartCard 0
2017/07/05 14:23:56 - Validating PIN number.
2017/07/05 14:23:56 - Found a signing certificate.
2017/07/05 14:23:56 - Checking expiration date of signing certificate.
2017/07/05 14:23:57 - Unable to sign. Signing Certificate is REVOKED2017/07/05 14:23:58 - Signing Cert Expiration Date: Sat Nov 16 12:44:38 CST 2019
2017/07/05 14:23:58 - Signing Cert Revocation Status: REVOKED
2017/07/05 14:23:58 - File has been successfully signed.
The tool recognized (correctly, as we later determined) that her PKCS7 certificate had been revoked and indicated such. It told the user that signing was not possible and the reason why. Then, the very next status line tells the user that the file was successfully signed. A *.p7m file was created with a revoked certificate.
The signer asked us (OFR) for clarification. I too thought it was odd and contacted GSA. They verified that her certificate was revoked. They also explained, "the way the current Federal PKI works, we wanted the tool to still sign even if the tool thought the signing certificate was revoked in case the tool was actually wrong."
I appreciate the complexity of the validation process even though I don't know the technical details. My concern is from the (non-technical) signer's perspective and their confusion at reading contradictory messages in the status report. If the business decision is to have the tool apply the signature even if the certificate is revoked, so be it. But to avoid confusion, I suggest removing the text "Unable to sign" from the status report as well as changing the final line text to "File has been signed."
A signer from a small agency test-signed some documents for OFR yesterday. The tool gave her the following progress report: 2017/07/05 14:23:52 - Applying Signature 2017/07/05 14:23:52 - Detecting card reader. 2017/07/05 14:23:53 - Verifying card is inserted into the reader. 2017/07/05 14:23:53 - Found reader with card present. 2017/07/05 14:23:53 - Broadcom Corp Contacted SmartCard 0 2017/07/05 14:23:56 - Validating PIN number. 2017/07/05 14:23:56 - Found a signing certificate. 2017/07/05 14:23:56 - Checking expiration date of signing certificate. 2017/07/05 14:23:57 - Unable to sign. Signing Certificate is REVOKED2017/07/05 14:23:58 - Signing Cert Expiration Date: Sat Nov 16 12:44:38 CST 2019 2017/07/05 14:23:58 - Signing Cert Revocation Status: REVOKED 2017/07/05 14:23:58 - File has been successfully signed.
The tool recognized (correctly, as we later determined) that her PKCS7 certificate had been revoked and indicated such. It told the user that signing was not possible and the reason why. Then, the very next status line tells the user that the file was successfully signed. A *.p7m file was created with a revoked certificate.
The signer asked us (OFR) for clarification. I too thought it was odd and contacted GSA. They verified that her certificate was revoked. They also explained, "the way the current Federal PKI works, we wanted the tool to still sign even if the tool thought the signing certificate was revoked in case the tool was actually wrong."
I appreciate the complexity of the validation process even though I don't know the technical details. My concern is from the (non-technical) signer's perspective and their confusion at reading contradictory messages in the status report. If the business decision is to have the tool apply the signature even if the certificate is revoked, so be it. But to avoid confusion, I suggest removing the text "Unable to sign" from the status report as well as changing the final line text to "File has been signed."