How are ProofMarks Verified?

Once a ProofMark is issued, it is straightforward to determine that it has not been tampered with and that it is authentic.

To determine that a ProofMark has not been tampered with subsequent to issuance, a simple internal consistency check can be performed: the signature can be validated against the public key. This provides for a simple, on-the-spot verification of integrity using widely available software cryptographic routines.5 Communication with a Proof- Mark Server is not required.

To confirm a ProofMarks authenticity, it must be verified against an Archive. There are several levels of Archive verification. All levels of Archive verification perform the inter- nal verification described above prior to checking the archive. Each adds an additional level of authentication, preventing against increasingly sophisticated attacks. Each level also takes additional computing resources to complete.

Interval verification
The first level of archive verification authenticates any PKI signatures that were included in the original request that generated the ProofMark (these are part of the ProofMark). Authentication is accomplished by first verifying each certificate in the PKI signature’s certificate chain, then checking for a trusted certificate in the machine's local keystore whose subjectDN matches the issuerDN of the first certificate in the PKI signature's certificate chain. If these keys fail to match, an error is reported in the verification report.

Cross-certification verification
The second level of archive verification authenticates the PKI signatures, and checks the archive for the public key of the Interval. Then, the Interval's Cross- certifications (which are themselves ProofMarks) existing in the Archive are recursively authenticated.

Digest log verification
The highest level of archive verification authenticates the PKI signatures, checks the archive for the public key of the Interval, and checks the Interval's Cross-certifications. When these have been verified, the server confirms that the ProofMark digest exists in the Interval's archived digest log. ProofMark verification reports The ProofMark server issues a ProofMark verification report in response to a verification request. Input to this request is the ProofMark certification (the XML) to be verified. Output from this request is a Verification Report XML document containing the results.6 The Verification Report either lists any errors discovered in the process or indicates that the verification was successful.