Russ Housley wrote:
Phil:
SET uses PKCS#7 v1.6. S/MIME v2 uses PKCS#7 v1.5. CMS is derived from
PKCS#7 v1.5.
SET started from the same standards document as S/MIME,the v1.5 version.
Before the SETv1.0 spec was delivered,
RSA agreed to publish a document on PKCSv1.6 so that SET
would have a reference to the (SET OF to SEQUENCE OF)
changes we made, and to allow current v1.5 users a clear
path for migrating from ASN.1:1990 to 1994.
The ASN.1 provided in PKCS #7v1.6 defines both v1.5
and v1.6. It can be easily converted into two distinct
modules, both ASN.1:1994. One module can include
definitions that only support v1.5, and the other v1.6.
This is explicitly allowed in the RSA document. Since
SET chose only to support v1.6, the SET ASN.1 definitions
for v1.5 were not included in that spec.
Both v1.5 and v1.6 default to EXPLICIT tags (though this
is never mentioned in the 1.5 docs, but RSA never really
defined an ASN.1 module until the 1.6 revision was done.
The RSA document states:
"The revision is also intended to ?close? the version
1.x series, providing a stable base during development
of the version 2.0 specification and any applications
based on it. We consider that the introduction of PKCS
#7 version 1.6, rather than introducing further
incompatibilities, will stabilize a number of
potentially divergent alternatives and extensions,
thereby increasing interoperability"
PKCS#7 v1.5 and v1.6 are quite different from an encoding point of view.
Yes, v1.6 replaces all SET OFs with SEQUENCE OFs, such
as for Attributes,CRLs, and Certificates, to avoid the
sorting penalty for these types required by DER. So, x31s
change to x30s. But a bigger change was made in regards
to the stripping of tag and length octets.
However, if a specification were to opt to use only
the v1.5 portion of these RSA definitions, it could
easily migrate to ASN.1 1994, yet still rely on the
traditional RSA documents. I just noticed that some
of this effort in providing both v1.5 and v1.6 syntax
in the same module was taken for the benefit of S/MIME
(predating the current work, though)
The RSA Extensions document states:
"Version 1.5 and version 1.6 syntax are distinguished by
a version number field, and the versions should be
considered alternate forms of cryptographic message
protection. Applications supporting either version may
be considered to conform with PKCS #7. Existing
applications based on version 1.5, such as S/MIME,
need not be upgraded to version 1.6. Likewise, version
1.6 applications need not support version 1.5 syntax."
Actually placing both versions (1.5,1.6) in the ASN.1
module was do to Burt Kaliski's wisdom. I recall that
I had only desired to have the SET v1.6 defined. RSA
decided to use the effort to provide a version of 1.5
in ASN.1 1994, since X.208 is slated to eventually loose
its status as a standard. At any rate, it is possible to
do PKCS #7 v1.5 and ASN.1:1994 at the same time.
Russ
At 11:08 PM 1/30/98 +0000, Phillip H. Griffin wrote:
Blake Ramsdell wrote:
snip
Jim has brought up a good point that since they use PKCS #7 for
Authenticode (I think) as well as potentially for other stuff, he
doesn't want to cart around code for both CMS and PKCS #7.
snip
If I'm not mistaken, that will be necessary anyway. PKCS #7,
we were told when we used it in the design of SET, assumes
EXPLICIT tags, but I believe that S/MIME assumes IMPLICIT.
I haven't looked closely enough at the two and run test
cases, but I would expect that there are some differences.
But maybe not.
Phil
--
Phillip H. Griffin Griffin Consulting
asn1(_at_)mindspring(_dot_)com ASN.1-SET-Java-Security
919.828.7114 1625 Glenwood Avenue
919.832.7008 [mail] Raleigh, North Carolina 27608 USA
------------------------------------------------------------
Visit http://www.fivepointsfestival.com
------------------------------------------------------------