Re: [SignServer-develop] TimeStamp ACCEPTEDPOLICIES

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 27. 8. 2015 16:06, Markus Kilås wrote:
> Yes, I think this is the expected behaviour. The rational is that you
> would only sign the time-stamp according to the policies you have
> decided to support. If a request comes in with a policy that you have
> not listed as a policy that you support (and thus claim to fulfil), then
> the request is rejected. If the request contains a policy OID then this
> must be the policy used in the token as explained in RFC#3161:
> 
> "The policy field MUST indicate the TSA's policy under which the
>    response was produced.  If a similar field was present in the
>    TimeStampReq, then it MUST have the same value, otherwise an error
>    (unacceptedPolicy) MUST be returned. "
> 
> 
> Let me know if you think I missed something.
> 
> Cheers,
> Markus

Hi,

thank you for your response, I think this is correct behaviour.

I was just a little confused. The confusion was because if ACCEPTEDPOLICIES are
null then even requests that contain DEFAULTTSAPOLICYOID are rejected.

Perhaps more explicit text would be fine in documentation:

ACCEPTEDPOLICIES = A ';' separated string containing accepted policies, can be
null if it shouldn't be used. When not used, time stamp request MUST NOT include
a policy identifier. (OPTIONAL, Recommended)

Thanks

Martin