Explaining the SigningTime Authenticated Attribute in PKCS7 Signatures

The “signingTime” authenticated attribute in PKCS #7 (now part of Cryptographic Message Syntax or CMS) signatures is an optional attribute that indicates the date and time when the digital signature was created. It is commonly included in signed-data objects to provide a timestamp that can help verify when a signature was applied.

Detailed Explanation:

  • Attribute OID: The “signingTime” attribute is identified by the Object Identifier (OID) “1.2.840.113549.1.9.5”.
  • Data Type: It is of type “Time”, which is typically represented as a “GeneralizedTime” or “UTCTime” (usually in the RFC 822 or ISO 8601 string format).
  • Purpose: The “signingTime” indicates when the signing operation took place. It allows the recipient of a signed document to understand when the document was signed by the signer.
  • Placement: The “signingTime” is included as an authenticated attribute in the “SignedAttributes” field of the PKCS #7 “SignerInfo” structure. Authenticated attributes are signed along with the message content, meaning that their integrity is protected by the digital signature.

How the “signingTime” Attribute Works:

  • When creating a PKCS #7 signature, the signing software may include the “signingTime” attribute to represent the current time at which the signing operation occurred.
  • This time is then included in the “SignedAttributes” of the signature, which is a collection of attributes that are hashed and then signed along with the original message content.
  • By signing the “signingTime” along with other attributes, any changes to the “signingTime” after the signature has been applied would invalidate the signature, ensuring that the date and time cannot be tampered with.

Verifying the “signingTime”:

During signature verification, the verifier can check the “signingTime” to:

  • Confirm the time of signature creation: Verify when the signature was applied relative to other events or documents.
  • Check certificate validity: Ensure that the signer’s certificate was valid at the time of signing by comparing the “signingTime” to the certificate’s validity period.

Practical Considerations:

  • The “signingTime” attribute is optional, so not all signatures will include it.
  • If present, the “signingTime” helps establish non-repudiation by providing evidence of when the signature was created.
  • For applications like e-invoicing or legal documents, having the “signingTime” can be valuable for compliance with legal requirements or industry standards.

Summary:

  • The “signingTime” attribute in PKCS #7 signatures represents the time the signature was applied.
  • It is an optional authenticated attribute that is signed along with the content, ensuring its integrity.
  • The attribute is useful for verifying the timestamp of a signature and cross-checking against certificate validity periods.
  • It helps provide a verifiable and tamper-proof indication of the time when the signing operation occurred.