Where to find root and intermediate certificates having a security token with only end certificate in it

Question

First i must say im kinda new at digital signatures and PKI. I have a few questions regarding the way the whole PKI infrastructure works. Lets say i have a security token containing my private key + my valid end-entity certificate. Therefore i can sign files without issues. I am using the software provided by the certificate issuer to do so.

1. Assuming i send a signed file to somebody who uses the software of another issuer, will they able to verify the signature? My main concern here is how are they going to obtain the root and the intermediate certificates to build the certificate chain /we're talking the case where the Authority Information Access field is null/? Isn't building the chain the first step towards signature verification?
2. It seems to me that the software provided by the certificate issuer installs the intermediate and the root certificates on the computer. Is that correct?
3. If there's a way to find all of those intermediate/root certificates from the internet - where i might be able to find them?

A while ago i had this idea to create an app that can use ANY token to sign a message, and verify messages sent by ANY signer. We're talking chain validation, CRL and OCSP checks. Is that even possible?

Answer 1

1. Assuming i send a signed file to somebody who uses the software of another issuer, will they able to verify the signature?

Cryptographically yes he can using the public key, but verifying a signature in depth it is a complex process:

• cryptographic verification
• Trust in the certification chain
• Certificate revocation status
• Validity on signing time (certificate not expired, or signature protected with a timestamp

And an essential factor that is the format of the signature. There are multiple digital signature formats (XMLDsig, CMS, CAdES, PKC#7, JWS, PAdES) encapsulating the digital signature and the verification software must deal with the formats and interoperability issues between versions and even different interpretations of the standard

My main concern here is how are they going to obtain the root and the intermediate certificates to build the certificate chain /we're talking the case where the Authority Information Access field is null/?

Most digital signature formats require certificates to be included in the signature itself. Then the verifier can validate the certification chain until root certificate, that must be included in a local truststore.

Isn't building the chain the first step towards signature verification?

Yes, it is. The issuer must validate the certification chain. A signature can not be considered valid if the issuer root certificate is not found in the local truststore.

2. It seems to me that the software provided by the certificate issuer installs the intermediate and the root certificates on the computer. Is that correct?

Yes, the certificate can be pre-provisioned in a computer, and some Operative Systems or programming languages have a truststore with a list of preloaded trusted issuers that can be used to validate the signature

3. If there's a way to find all of those intermediate/root certificates from the internet - where i might be able to find them?

You can usually download them from the web page of the Certificate Authority. The certificate should include the AIA extension with a URL to download the issuer. Also, In the European Union there is a global list of trusted providers where references to all certificates in use are.

A while ago i had this idea to create an app that can use ANY token to sign a message, and verify messages sent by ANY signer. We're talking chain validation, CRL and OCSP checks. Is that even possible?

Yes it is possible and it is a real business area. There are several commercial digital signature validation platforms. Take a look to SD-DSS open-source project leaded by EU