John,
I have a small problem with the following change. While I agree that it is
correct, there is a possiblity that this can lead to exactly the situation
we were trying to avoid. If A cannot verify B's signature and B cannot
verify A's signature. What is to stop them from sending messages back and
forth if some other item (such as a gateway) is also sticking in signatures.
11) Sec 4.1, 5th para: Please make the following change:
OLD: "A recipient SHOULD only process an mlExpansionHistory attribute if the
recipient can verify the signature of the SignerInfo which covers the
attribute. A recipient SHOULD NOT use an mlExpansionHistory attribute which
the recipient cannot authenticate."
NEW: "A recipient MUST verify the signature of the SignerInfo which covers
an mlExpansionHistory attribute before processing it. A recipient MUST NOT
process an mlExpansionHistory attribute which the recipient cannot
authenticate."
We perhaps should add a sentence along the lines of "If an
mlExpansionHistory is found in a signature which cannot be verified, and no
matching mlExpansionHistory is found in a verifiable signature, the MLA
SHOULD stop processing."
jim