Should there be a criticallity flag for signed attributes?
The application I am thiniking of is limiting an employees signing
authority inside a company. An obvious way to do this would be to have
an OID for the signed attribute 'this message does not constitute an
offer or acceptance of a contract'.
The problem is forcing the client to bring this (or a like) OID to the
attention of the reader.
It seems to me we may just need a critical flag just like there is in
the X.509v3 certificate. If the critical bit is set and the client does
not understand the semantics of the attribute a client is required to
inform the user of the fact.
Alternatively one could suggest making all extensions critical in which
case I am sure I can think up an example of a need to flag something
Description: S/MIME Cryptographic Signature