[Top] [All Lists]

Certificates Field in Signed Data

1997-01-20 15:03:12
"Jeff Thompson" <jefft(_at_)shore(_dot_)net> 01/03/80 07:47am >>>

I think you should push as many certificates when sending a message
that you think will help the recipient validate your public key.

As for the certificates field, it is a SET OF, not a SEQUENCE OF.  
Therefore, there is no meaning to the order of certificates found in
n fact, if someone's software is automatically encoding as DER
(as opposed to BER) then the ordering will be strictly according to the
encoded bytes of each certificate - that is, irrelevant of the meaning of
each certificate.  The certificates field is therefore an unordered 
"bag o' certificates".  The same goes for CRLs.

I don't want to get into the argument about the Trusted Root Certificate:
whether it is a self-signed certificate, how it is in fact "trusted".  Some
applications also send self-signed certificates for the signer of the
(not the root) to support non-hierarchical certification schemes so the
sender can
send a certificate for him/herself which is not created by a third party.
But again, the "Trusted Root Certificate" would not come first or last
in the SET OF certificates.


I think you are right. In the current version of PKCS7 Signed Data format
certificates field is indeed a SET OF which means an ordered collection
of Certificates.

But My question is more fundamental. Do we fit our requirement
according to the syntax or do we modify the syntax according to our

In other words, could we make the certificates fields as a SEQUENCE
OF instead of a SET OF in the next version of PKCS7 Signed Data?
This is only a suggestion. Why don't we brainstorm this issue?

The issue is the following: I get a signed Data message, I decode it,
get a bunch of certificates (provided it has been attached). Now,
what would be the simplest way to select the certificate of the signer
and verify the whole chain?

 I am proposing let the syntax indicate a mechanism to select the signer's
certificate and the Root Certificate. I would like to hear other's opinion


  --Arup Biswas
    Software Engineer,

From: Arup Biswas <ABISWAS(_at_)novell(_dot_)com>

One small detail for the WG to resolve, we need to establish a protocol
about the certificates field  in the Signed Data message. Do we keep a
single certificate or the chain? Trusted Root Certificate first or last?
Similarly for the CRLs. 

<Prev in Thread] Current Thread [Next in Thread>