Scott,
IMHO, the SignerInfo IssuerAndSerialNumber does not need to identify the
signer's Attribute Cert (AC), but it must uniquely identify the signer's
X.509 Cert with which the AC is associated. The PKIX X.509 Cert and CRL
Profile allows X.509 Certs to include an empty sequence as the Issuer Name
and a critical IssuerAltName extension which might contain a Name form. The
current CMS IssuerAndSerialNumber does not include sufficient flexibility to
uniquely identify X.509 certs that use non-Name IssuerAltName forms instead
of the Issuer Name. If the S/MIME v3 Certificate Handling spec allows empty
Issuer Names and non-Name IssuerAltName forms, then I believe that
IssuerAndSerialNumber should be changed as follows:
IssuerAndSerialNumber ::= SEQUENCE {
issuer Name,
serialNumber SerialNumber
issuerAltName [0] IMPLICIT GeneralNames OPTIONAL}
This would be backwards compatible with PKCS #7, v1.5. The accompanying
text in CMS should state that the SignerInfo version shall be 1 if the
issuer Name is used and issuerAltName is absent. If the issuerAltName is
present, then the version shall be 2. If a v2 SignerInfo is mistakenly sent
to a legacy application that only understands v1 SignerInfo, then,
hopefully, the legacy software will gracefully report an error when it
detects that the version is not 1.
- John Pawling