Dave & Eric:
I understand the security issue. The recipient must recompute the message
digest. However, vendors have been very clear that they want CMS to be
backward compatible with PKCS#7v1.5. So, in the last version of CMS, I
included text requiring the recipinet to recompute the message digest.
Russ
At 03:28 PM 1/23/98 -0500, David P. Kemp wrote:
From EKR:
Since the digest can be independently computed from the
message data, it's hard to understand why removing it from the
authenticatedAttributes on the wire adds any security.
I have to agree strongly with Chris. Since the digest can be
independently computed from the message data, it *should* be so
computed, and not transmitted on the wire.
Including a redundant copy of the hash is not only, .. well .., redundant,
it also is an invitation for implementors to make a mistake and not
compute the hash from the message. That is an operational security
problem, even if no case can be demonstrated for which it introduces
a cryptographic vulnerability.
As Chris said, "motive and opportunity". I'm always in favor of
removing an opportunity for error.
Dave Kemp