ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: CMS-03 Comments

1998-02-23 15:16:09
from [Jim Schaad (Exchange)] [Permanent Link] 
John,

My memory of the following is slightly different, but this may be
colored by previous history.   I have been working with Blake to put
this into the S/MIME message draft.  After reading this however I think
that this should really be put into the CMS draft as it would be more
general than just S/MIME.


11) The following proposals were made at an informal meeting 
held in San
Francisco on 14 Jan 98 to discuss S/MIME-related issues, but are not
included in CMS-03:
 
"One issue discussed was the process by which an agent
determines which of a remote user's certificates should be used for KM
purposes to support the encryption of a CMS EnvelopedData 
object.  It is
proposed that a new authenticated attribute will be defined 
in CMS that will
identify which of a user's X.509 certificates (usually 
communicated in the
SignedData certificates field) is to be used for key 
management purposes.
For example, User 1 sends a SignedData object including his KM and DS
Certificates in the SignedData certificates field and the 
authenticated
attribute indicating which of the certs is his KM cert.  The 
remote user
would then know which cert to use for KM purposes when sending an
envelopedData object to User 1.  (Note that the EnvelopedData 
recipientInfo
originatorCert field is used to indicate which of the 
originator's certs (if
required by the KM algorithm (such as D-H)) is to be used for 
KM purposes to
support the decryption of an envelopedData object.) 

The following rule is also proposed for addition to CMS: "If
the new authenticated attribute is absent, then the signature and KM
certificates must include the same subject identifying information
(i.e., subject DN and/or subjectAltName)."  If the new attribute is
absent, then the sending agent would examine the OID in the
subjectPublicKeyInfo field of each cert to determine if the 
OID indicates
the purpose (ex: id-dsa indicates that a DSS key is included 
in the cert).
The agent MUST also examine the keyUsage extension, if present, to 
determine the intended usage of the public key included in the cert."


================================
John Pawling   
jsp(_at_)jgvandyke(_dot_)com                             
J.G. Van Dyke & Associates, Inc.           
================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: CMS-03 Comments, John Pawling
Next by Date:  Comments on CMS-03, Jim Schaad (Exchange)
Previous by Thread:  Re: CMS-03 Comments, John Pawling
Next by Thread:  Re: CMS-03 Comments, John Pawling
Indexes:  [Date] [Thread] [Top] [All Lists]