ietf-smime
[Top] [All Lists]

RE: Proposal: Re: 'Signature Purpose' attribute?

1998-01-21 09:07:35
Tim,

You stated:
Having no way to determine that one is the intended recipient of an
S/MIME signed message is just one of a number of obvious limitations
which have been discussed on the list, 

I disagree with this statement and with your other arguments regarding the
determination that one is the intended recipient of an S/MIME signed
message.  If the originator wishes to protect the data such that only
specified people can access the plaintext data, then the originator must
protect the data within a signedData object which is then encrypted within
an envelopedData object.  This ensures that only the intended recipients can
access the data and identifies to the recipient that she is one of the
intended recipients.

If the originator chooses to send a signed-only message, then the originator
has made the decision that she doesn't care who accesses the data.  In that
case, I don't know why the recipient would need to determine that she is one
of the intended recipients.

Note that if an originator wishes to send a signed-only message and that
only specified recipients should return a signed receipt, then that
capability is provided in the receiptRequest authenticated attribute.

================================
John Pawling   
jsp(_at_)jgvandyke(_dot_)com                             
J.G. Van Dyke & Associates, Inc.           
================================