From: "Phillip H. Griffin" <asn1(_at_)mindspring(_dot_)com>
The text "expands to a SEQUENCE of the data being signed, an algorithm
identifier, and a bit string" means that after parameterized type text
substitution on the nested parameterized types that make up the X.509
SIGNED {} type, you get the equivalent ASN.1 definition:
SIGNED { ToBeSigned } ::= SEQUENCE {
toBeSigned ToBeSigned,
algorithm AlgorithmIdentifier,
signature BIT STRING
}
This definition is signature scheme neutral. The four parameterized
type definitions used in X.509 are not. They imply that a digital
signature scheme perform an encrypted hash to sign an object. The
HASHED {}, ENCRYPTED {}, SIGNATURE {}, and SIGNED {} that follow
should be replaced with a simpler version of SIGNED {}.
I agree.
Perhaps the definitions in the as-yet-unratified 1997 version
of X.509, which have been changed from the 1993 version and now refer to
ENCRYPTED-HASH {}, can be changed again to simply refer to SIGNED {}.