Am Fri, 11 Sep 2015 15:07:20 +0200 schrieb Jakob Bohm <jb-openssl at wisemo.com>: > 2.3.1 RFC2985 form Timestamp countersignature Attribute This one. > I have not encountered this before, which signing authority, > AlgorithmIdentifier and year (first digits of timestamp) did > you see this with? Various intermediate certs. Verisign, Symantec, etc. But now I see, did't got it before: the root is always "Thawte Timestamping CA" -- using md5WithRSAEncryption. Example: https://www.virustotal.com/en/file/1d1bb76575e780123814259eb2dbbf26f1c9035d8f0d4bab682703823b06323f/analysis/ > > Have you considered the possibility that this may be an > ISO/IEC 9796-1 or -2 signature (an old format broken in > 1999 for 9796-1 and for 9796-2/MD5 and in 2009 for > 9796-2/SHA-1)? ISO/IEC 9796-1 / -2 seems to be completely different signing schemes. That's not the case here. It's only the encryptedDigest which differs, everything else is quite like the other timestamps you describe in "2.3.1". Btw: Windows verifies those with success, valid signatures. But you are right, maybe those are "fakes" (the intermediate ones) or broken in another way. > Due to the likely weakness of this scheme, [...] I'm a layman here, but I don't think the differences in the scheme itself provides the weakness, not in this case. There's only one difference: The signature algorithm is not confirmed by the encryptedDigest. But it is via other places and it is sha1 for the timestamp itself (20 bytes in length). Maybe the root certificate using md5 is... I don't know... Regards Michael