From EKR:
Since the digest can be independently computed from the
message data, it's hard to understand why removing it from the
authenticatedAttributes on the wire adds any security.
I have to agree strongly with Chris. Since the digest can be
independently computed from the message data, it *should* be so
computed, and not transmitted on the wire.
Including a redundant copy of the hash is not only, .. well .., redundant,
it also is an invitation for implementors to make a mistake and not
compute the hash from the message. That is an operational security
problem, even if no case can be demonstrated for which it introduces
a cryptographic vulnerability.
As Chris said, "motive and opportunity". I'm always in favor of
removing an opportunity for error.
Dave Kemp