John,
After reading the R-H requirements, I now agree with Jim that
"originatorCertificateSelector CertificateAssertion OPTIONAL" should be
added to the RecipientInfo SEQUENCE.
However, I have another concern as follows: CertificateAssertion includes
"pathToName" as an option. X.509 describes "pathToName" as follows:
"pathToName matches unless the certificate has a name constraints extension
which inhibits the construction of a certification path to the presented
name value." Do we really need the pathToName option in the
originatorCertificateSelector CertificateAssertion in the RecipientInfo
SEQUENCE?? It adds significant complexity to the process of matching the
originator's key material with the recipientInfo. Could we adopt Jim's
recommended solution with a caveat stating that "pathToName" is prohibited?
Agreed. There is no issue here, since the name constraints extension can only
apply to CA Certificates, and we are selecting from user certificates, so it
is not appropriate to use the pathToName option within CertificateAssertion.
This restriction could be formalised into the ASN.1 as follows:
originatorCertificateSelector CertificateAssertion(WITH COMPONENTS{...,
pathToName ABSENT}) OPTIONAL
Of course, any name constraints in CA certificates must be applied when
verifying the certification path (but we're not discussing that here).
Jim