ietf-smime
[Top] [All Lists]

Re: Receipts vs. SignedData

1997-11-12 16:49:06
Ah...  We are in sync on this. But your message leads to another question:

Should we document that a recipient can reject received messages (i.e.
SignedData) based on the encapsulated content type?  This is not obvious
from any of the documents, and perhaps should be mentioned in CMS.

Regards,
Rich

----------
From: John Pawling <jsp(_at_)jgvandyke(_dot_)com>
To: Rich Ankney <rankney(_at_)erols(_dot_)com>; Trevor Freeman
<trevorf(_at_)microsoft(_dot_)com>; Blake Ramsdell 
<BlakeR(_at_)deming(_dot_)com>; 'Larry Layten'
<larry(_at_)ljl(_dot_)com>; 'ietf-smime(_at_)imc(_dot_)org'
Subject: Re: Receipts vs. SignedData
Date: Wednesday, November 12, 1997 5:13 PM

Rich,

The following example depicts the detailed nesting for a CMS SignedData
object: 

Outermost Layer: 
  MIME Heading encapsulating:
    ASN.1 encoded ContentInfo including:
      ContentType set to SignedData OID
      Content ANY including: 
        ASN.1 encoded SignedData including (among other things):
          ContentInfo including: 
            ContentType set to Data OID
            Content ANY including:
              ASN.1 encoded Data OCTET STRING including:
                MIME Heading encapsulating:
                original content


The following example depicts the detailed nesting for a CMS/ESS
SignedData/Receipt: 

Outermost Layer: 
  MIME Heading encapsulating:
    ASN.1 encoded ContentInfo including:
      ContentType set to SignedData OID
      Content ANY including: 
        ASN.1 encoded SignedData including (among other things):
          ContentInfo including: 
            ContentType set to Receipt OID
            Content ANY including:
              ASN.1 encoded Receipt

When a user agent receives any CMS object it must first decode the outer
ContentInfo to determine the type of CMS object encapsulated within the
ContentInfo.  In the vast majority of cases, the receiving agent must
decode
the actual CMS object to obtain the originator certificates, algorithms
applied to the object, etc.  In the case of decoding a
SignedData/Receipt,
as part of the generic decoding process, the receiving agent discovers
that
the SignedData encapsulates a Receipt content.  At this point the
receiving
agent knows that the received CMS object is a SignedData/Receipt and can
take the appropriate actions.

Therefore, I do not believe that the ESS strategy for SignedData/Receipt
adds much work at all to the initial steps of processing a received CMS
object.  After all of the other steps, having to examine the inner
contentInfo contentType is trivial.

As far as having to read both the CMS and ESS specs to figure all of this
out, I don't believe that is a big deal when you consider the sum total
of
all specs that one must read to implement ASN.1, V3 X.509 Certs, etc,
etc.
The ESS is an optional part of the S/MIME v3 Message Spec environment. 
If a
vendor does not wish to support signed receipts, then it can simply
ignore
them as unrecognized objects.

- John Pawling



At 04:31 PM 11/12/97 -0500, Rich Ankney wrote:
I think there's still a disconnect here.

Is the following correct?

A normal message (of type 'data') is signed, giving a SignedData
whose inner content is type 'data'.

A receipt is signed, giving another SignedData whose inner conten
is type 'receipt'.

The thing I was objecting to is having to peel open the inner
contentInfo
and determine it's type, in order to know what kind of digesting to do.
This means the digesting part of CMS applies to all contents being
signed except for receipts; the processing for receipts is described in
ESS.  So handling of SignedData is now spread across two documents,
which isn't exactly optimal from a developer's point of view.    

Regards,
Rich
----------
From: John Pawling <jsp(_at_)jgvandyke(_dot_)com>
To: Rich Ankney <rankney(_at_)erols(_dot_)com>; Trevor Freeman
<trevorf(_at_)microsoft(_dot_)com>; Blake Ramsdell 
<BlakeR(_at_)deming(_dot_)com>; 'Larry
Layten'
<larry(_at_)ljl(_dot_)com>; 'ietf-smime(_at_)imc(_dot_)org'
Subject: Re: Receipts vs. SignedData
Date: Wednesday, November 12, 1997 3:56 PM

Rich,

I agree with you that the ESS Receipt strategy should remain as is and
that
the CMS spec should be clarified to state that the message-digesting
process
that it describes only applies to the SignedData content type.

- John Pawling




<Prev in Thread] Current Thread [Next in Thread>