From jsp(_at_)jgvandyke(_dot_)com Mon Jan 19 13:53:42 1998
[ snip ]
3) Two Key Systems
...
Proposal #4: The following rule is also proposed for addition to CMS: "If
the new authenticated attribute is absent, then the signature and KM
certificates must include the same subject DN." If the new attribute is
absent, then the sending agent would examine the OID in the
subjectPublicKeyInfo field of each cert to determine if the OID indicates
the purpose (ex: id-dsa indicates that a DSS key is included in the cert).
The agent should also examine the keyUsage extension to determine the
intended usage of the public key included in the cert.
[ snip ]
It would seem that the agent should check the keyUsage extension *first*,
before checking the subjectPublicKeyInfo field ... doesn't that match more
closely the intent of the keyUsage extension?
So a simple flow would be like:
1) Does the CMS exist an authenticated attribute, if so, then DONE
2) if not, MUST (Carlisle's comments, which I completely agree with) check
the keyUsage extensions (if so exist), for the same subject DN certificates,
if one of such is clearly marked for KM purposes, then DONE
3) if the Key Usage extensions doesn't exist, then look into
subjectPublicKeyInfo
Just a thought,
-- Chen Wang, NetDox