Carlisle:
I prefer the inclusion of the issuer and serial number as an authenticated
attribute. The signature certificate is likely to be included already.
This does require that the issuer have distinguished name (not an empty
name and an alt name).
Do you prefer the addition of the new attribute in ESS or CMS? I see
advantages to both choices.
Russ
At 01:57 PM 2/25/98 -0500, Carlisle Adams wrote:
Hi Jim,
----------
From: Jim Schaad
(Exchange)[SMTP:jimsch(_at_)EXCHANGE(_dot_)MICROSOFT(_dot_)com]
Sent: Wednesday, February 25, 1998 1:25 AM
To: Ietf-Smime (E-mail)
Subject: Inclusion of the issuer and serial number in authenticated
information
In discussions with other people here at Microsoft about the questions
of building certificate chains and what you sign with (a certificate or
a key), we came up with an interesting security hole from a legal
standpoint. If a person gets more than one certificate for a given key,
a person could switch certificates in the signed data object to the
other certificate thus potentially changing the legal liability of the
signature.
Denis Pinkas has been talking about this for a long time now (see, for
example, some of his postings to the PKIX list some time back, where the
context of the discussion was proof-of-possession in operational
protocols). Ultimately, what you want (from both a security and a legal
standpoint) is that a signature is computed not only over some data, but
also over the certificate (or cert. identifier) containing the public
key to be used to verify the signature.
Within something like CMS there are two very simple solutions. The
first is what you suggested:
To address this problem, I strongly suggest we do the following:
1. In CMS we define an authenticated attribute which contains the
issuer and serial number of the certificate which was used to sign the
message.
The other is to put the certificate itself (rather than the issuer &
serial number) in an authenticated attribute. This might be attractive
if the certificate is not carried elsewhere in the envelope or if it is
desirable to have the relevant information (e.g., the verification key
to check the signature) right there at your fingertips. In any case,
either solution is probably fine (though for CMS I suspect the former is
preferable...).
2. We require this new attribute to be included in the
authenticatedAttributes section of the message if one exists. (We can't
do anything about the problem if it does not exists.)
I suppose you could also say that an authenticateAttributes section
SHOULD exist, for this very reason.
If the list thinks this is a problem which needs to be addressed, I will
come up with a detailed proposal to fix this and submit it to the list.
jim schaad
--------------------------------------------
Carlisle Adams
Entrust Technologies
cadams(_at_)entrust(_dot_)com
--------------------------------------------