ietf-smime
[Top] [All Lists]

Inclusion of the issuer and serial number in authenticated inform ation

1998-02-24 23:25:20
In discussions with other people here at Microsoft about the questions
of building certificate chains and what you sign with (a certificate or
a key), we came up with an interesting security hole from a legal
standpoint.  If a person gets more than one certificate for a given key,
a person could switch certificates in the signed data object to the
other certificate thus potentially changing the legal liability of the
signature.

To address this problem, I strongly suggest we do the following:

1.  In CMS we define an authenticated attribute which contains the
issuer and serial number of the certificate which was used to sign the
message.

2.  We require this new attribute to be included in the
authenticatedAttributes section of the message if one exists.  (We can't
do anything about the problem if it does not exists.)

If the list thinks this is a problem which needs to be addressed, I will
come up with a detailed proposal to fix this and submit it to the list.

jim schaad

<Prev in Thread] Current Thread [Next in Thread>
  • Inclusion of the issuer and serial number in authenticated inform ation, Jim Schaad (Exchange) <=