Closed boamaod closed 8 months ago
Digitally signed files that are created in the libdigidocpp library are compliant to ASIC standard. Creating digital signatures in BDOC format is not supported in the libdigidocpp library anymore. More information can be found from here.
The ASIC standard currently states the following about the "CertificateValues" field: "the CertificateValues qualifying property shall be incorporated into the signature if it is not already present and the signature misses some of the certificates listed in clause 5.4.1 that are required to validate the XAdES signature;"
In conclusion "CertificateValues" should be used when additional validation information is needed for full certificate path validation. In the case of Estonian signatures, no additional information is needed for validation, since intermediate certificates are available in the trustlist and therefore using "CertificateValues" field is optional.
For better compatibility with other CA we are considering implementing "CertificateValues" field in the future.
Could you please specify in what sense BDOC standard is not supported any more?
You are referring to the announcement that BDOC-TM is deprecated, but BDOC-TS as defined in BDOC2.1 section 6.2 is still a format well alive and in the scope of page 12 requirement of mandatory CertificateValues
field. This is supposedly compatible with ASIC standard and is in practice used as current authoritative reference for creating most of Estonian digital signatures. I haven't found an announcement that BDOC2.1 as a standard is deprecated, which could obsolete BDOC-TS and its format requirements.
According to BDOC2.1 page 12
CertificateValues
is a mandatory field insignaturesN.xml
that must contain at least signer’s CA certificate. I suppose for most practical cases signer's CA is available from other sources, but there is probably a reason why this is field is mandatory and if ignored, this should be at least documented.