If openssl ts -verify is used, what exactly is verified? For example, while the [-crl_check] [-crl_check_all] and [-extended_crl] verify options are supported, there is no way to pass CRLs to the call. So, is anything checked for revocation? How are timestamps verified for which the signing certificate has expired or has been revoked? If I understand correctly, to verify the validity of a timestamp token at the current time, one must - Check that the singing certificate was valid at the time of timestamp (for this either current or historical CRLs for the entire trust chain must be checked) - If the certificate is not valid anymore at the current time, one must show that none of the certificates in the trust chain have been revoked, or that those that have been revoked have the reasonCode extension and that this reasonCode extension shows one of the following revocation reasons: unspecified (0), affiliationChanged (3), superseded (4) or cessationOfOperation (5), in which case the timestamp token is still valid (section 4 off https://www.ietf.org/rfc/rfc3161.txt) Can openssl ts -verify do that? If not, how is a timestamp token properly verified using OpenSSL?
