"Jim Craigie" TEL +44-1635-202124
<Jim(_dot_)Craigie(_at_)net-tel(_dot_)co(_dot_)uk> writes:
John,
[..snip..]
[JSP: Because then the CMS definition would need to define SignatureValue as
ANY to provide sufficient flexibility to support a variety of signature
algorithms. I believe that defining SignatureValue as an OCTET STRING is
the better choice.]
I disagree. Embedding an ASN.1 encoding within the value of an OCTET
STRING or a BIT STRING requires two passes of ASN.1 parsing, unless
you write special case code.
While this is true, I consider this a feature rather than a bug, in
most cases. In terms of software design, it's reasonably common (at
the CMS level) to treat signatures as opaque values, with the ASN.1
parsing of the signature (if necessary) being done in the module that
does the signature verification rather than in the module that does
the message processing. Popular cryptographic interfaces (e.g. BSAFE)
encourage this behavior.
-Ekr
--
[Eric Rescorla Terisa Systems, Inc.]
"Put it in the top slot."