Closed frayus closed 5 years ago
2019-03-25 F2F Meeting in Milan:
This revision of the OPC is intended to clarify the existing spec, and not to add new functionality. As such, your suggestion is outside the scope of this project. That said, Japan intends to consider your input in its proposal to extend OPC to better support digital signatures in future.
There is, for compatibility reasons, only the primary leaf certificate in the KeyInfo element. However, since Office 2013, the rest of the chain is recorded in the XAdES Object element under UnsignedProperties/UnsignedSignatureProperties/CertificateValues. The XAdES Object element is the right place to do this - putting more certificates into the KeyInfo element could break parsers prior to Office 2013, possibly later - I don't recall if this has been tested and confirmed to work. Parsers prior to Office 2010 are unaware of the XAdES Object, and will ignore it.
Only a single x509Data element is in the keyInfo for the signature. Certificates that chain through an Certificate Authority to a Root certificate are not able to be validated when the verification is ran on an offline system and the certificate authority certificate is not installed on the system.