TST options

TST options determine or affect the type of data stored in a TST. This appendix describes the options you can choose when configuring a TSA.

Use ESSCertIDv2 (RFC5816)

Enabled by default, ESSCertIDv2, as defined by RFC5816, cryptographically binds the TAC to the signature (using SHA-256). See Time Stamp Tokens (TST) TAC encoding and binding for more information about ESSCertID/ESSCertIDv2.

Exclude TAC from certificate list

Select this option to disable the inclusion of the TAC in the time-stamp token certificate list. You can use this option to support time-stamp client software that cannot decode the TAC. This option is required if you must support Oracle’s jarsigner. Oracle jarsigner cannot decode the TAC and cannot support time-stamp tokens that include the TAC in the certificate list. When a time-stamp client requests certificates to be included in the time-stamp token, the TSS by default includes the TSA certificate and the TAC. The Exclude TAC from certificate list option enables you to exclude the TAC from the certificate list.

This option only excludes the TAC from the certificate list in the time-stamp token. The TST TAC Encoding and Binding option SignerAttribute (RFC3126 & ETSI) does not encode the TAC in the certificate list. The SignerAttribute option encodes the TAC in a signed attribute. Therefore if you use the SignerAttribute option, the Exclude TAC option has no effect.

Use rsaEncryption OID Fix

The rsaEncryption algorithm identifier is used to identify RSA (PKCS #1 v1.5) signature values regardless of the message digest algorithm employed. CMS implementations that include the RSA (PKCS #1 v1.5) signature algorithm must support the rsaEncryption signature value algorithm identifier. CMS implementations may support RSA (PKCS #1 v1.5) signature value algorithm identifiers that specify both the RSA (PKCS #1 v1.5) signature algorithm and the message digest algorithm. Earlier versions of the TSS always used signature value algorithm identifiers that specified both the RSA (PKCS #1 v1.5) signature algorithm and the message digest algorithm. However, this may not be compatible with some applications that implement the RFC. All applications must support the rsaEncryption algorithm identifier and may optionally support the hash specific algorithm identifier. This option enables the Security Officer to use the more compatible rsaEncryption option instead of the old TSS behavior.

If you do not enable this option for Oracle jarsigner, it fails to validate the signature in the TST.
This option is incompatible with earlier versions (before V5.0) of the TSS SDK.