ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: 1/14/98 S/MIME Proposals

1998-01-19 15:32:27
from [Carlisle Adams] [Permanent Link] 
Hi John,

Great minutes, as always.


----------
From:  jsp(_at_)jgvandyke(_dot_)com[SMTP:jsp(_at_)jgvandyke(_dot_)com]
Sent:  Monday, January 19, 1998 2:44 PM
To:    ietf-smime(_at_)imc(_dot_)org
Subject:       1/14/98 S/MIME Proposals

All,

The following individuals met on 14 Jan 98 in San Francisco to discuss
S/MIME-related issues: Russ Housley, Spyrus; Paul Hoffman, IMC; Blake
Ramsdell, WorldTalk; Jim Schaad, Microsoft; Jon Callas, PGP; Dave Solo,
Citicorp; Pat Cain, GTE: Bob Dickinson, WorldTalk; Ron ?, WorldTalk; Clark
Wagner, DoD; John Pawling, VDA.  As requested by Paul Hoffman, this message
includes notes from the meeting including proposals for changes to the
S/MIME v3 set of I-Ds.  All are welcome to provide comments, if any.


A couple of small comments...


3) Two Key Systems

There was a discussion regarding some perceived problems with two key
systems (i.e. separate keys used for signing and for KM). 

Proposal #4: The following rule is also proposed for addition to CMS: "If
the new authenticated attribute is absent, then the signature and KM
certificates must include the same subject DN."  


I might suggest that the last couple of words above get modified
slightly.  You say elsewhere in these minutes that the DN might be NULL
(essentially directing parsers to the (critical) subjectAltName
extension).  Therefore, the rule might be worded:  "If the new
authenticated attribute is absent, then the signature and KM
certificates must include the same subject identifying information
(i.e., DN and/or subjectAltName)."  Or something to that effect...


If the new attribute is
absent, then the sending agent would examine the OID in the
subjectPublicKeyInfo field of each cert to determine if the OID indicates
the purpose (ex: id-dsa indicates that a DSS key is included in the cert).
The agent should also examine the keyUsage extension to determine the
intended usage of the public key included in the cert.


You say elsewhere in these minutes that if a keyUsage extension is
included then it must be critical.  Therefore, the final sentence above
might be worded:  "The agent MUST also examine the keyUsage extension
(if present) to determine the intended usage of the public key included
in the cert."  [That is, I think that your use of the word "should" is
too soft here...]


--------------------------------------------
Carlisle Adams
Entrust Technologies
cadams(_at_)entrust(_dot_)com
--------------------------------------------
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  1/14/98 S/MIME Proposals, John Pawling
Next by Date:  RE: Proposal: Re: 'Signature Purpose' attribute?, Trevor Freeman
Previous by Thread:  1/14/98 S/MIME Proposals, John Pawling
Next by Thread:  RE: 1/14/98 S/MIME Proposals, John Pawling
Indexes:  [Date] [Thread] [Top] [All Lists]