TST options

Enabled by default, ESSCertIDv2, as defined by RFC5816, cryptographically binds the TAC to the signature (using SHA-256). See Time Stamp Tokens (TST) TAC encoding and binding for more information about ESSCertID/ESSCertIDv2.

Select this option to disable the inclusion of the TAC in the time-stamp token certificate list. You can use this option to support time-stamp client software that cannot decode the TAC. This option is required if you must support Oracle’s jarsigner. Oracle jarsigner cannot decode the TAC and cannot support time-stamp tokens that include the TAC in the certificate list. When a time-stamp client requests certificates to be included in the time-stamp token, the TSS by default includes the TSA certificate and the TAC. The Exclude TAC from certificate list option enables you to exclude the TAC from the certificate list.

The rsaEncryption algorithm identifier is used to identify RSA (PKCS #1 v1.5) signature values regardless of the message digest algorithm employed. CMS implementations that include the RSA (PKCS #1 v1.5) signature algorithm must support the rsaEncryption signature value algorithm identifier. CMS implementations may support RSA (PKCS #1 v1.5) signature value algorithm identifiers that specify both the RSA (PKCS #1 v1.5) signature algorithm and the message digest algorithm. Earlier versions of the TSS always used signature value algorithm identifiers that specified both the RSA (PKCS #1 v1.5) signature algorithm and the message digest algorithm. However, this may not be compatible with some applications that implement the RFC. All applications must support the rsaEncryption algorithm identifier and may optionally support the hash specific algorithm identifier. This option enables the Security Officer to use the more compatible rsaEncryption option instead of the old TSS behavior.