I've just had another thought:
"3.4 Signing Certificate
The SMimeCertificatePublish object MUST be signed by a
signing certificate associated with the end-entity, or a
signing certificate of a CA in the validation path of the
I believe one requirement is that if the keyUsage extension is present
in the signing certificate then the digitalSignature bit must be set.
In the case of a CA certificate this may well not be the case and indeed
several CAs currently do not set the digitalSignature bit.
Perhaps the easiest solution is not to enforce this criteria for the
purpose of a CA signed SMIMECertificatePublish object.
Dr Stephen N. Henson.
UK based freelance Cryptographic Consultant. For info see homepage.
PGP key: via homepage.