ietf-smime
[Top] [All Lists]

RE: Inclusion of the issuer and serial number in authenticated in formation

1998-03-16 20:07:49
John & Jim:

In general, the originator cannot know the certificate path that will be
used by the recipient, especially when cross certificates are involved.
Given this situation, the signature should not cover any more than the
terminal certificate in the path.  It seems to me that Issuer and Serial
Number is sufficient for this.

Russ

\At 06:50 PM 3/12/98 -0800, Jim Schaad (Exchange) wrote:
John,

I don't think you are being fickle,  I thought hard about it before I
endorsed the expacted proposal.  I decided that the additional capability
did not hurt anything since only one item was required (as oppose the entire
chain).  

I think that my original proposal actually addressed the issue that I was
worried about and is sufficent for that.  I think that for the issued raised
by Denis and some others in private mail is not really addressed by the
sequence approach.  Specifically there is nothing that prevents a CA from
issing a new certificate with the same serial number and issuer name, but
different extensions.  I don't know if this is really a problem that needs
to be solved or should be solved at this time by us.  This really requires a
sequece of both issuer/serial number and hash of the certificate pairs to
say that this is the certificate I wanted to use and you can see that the
certificate has not been changed in anyway.

I can easily go either way with this issue as the full sequence is not
required by the proposal that Denis made, and thus the minimal version of
this extension solves my problem and that is really all that I cared about.

jim


-----Original Message-----
From: jsp(_at_)jgvandyke(_dot_)com [mailto:jsp(_at_)jgvandyke(_dot_)com]
Sent: Thursday, March 12, 1998 4:16 PM
To: Ietf-Smime (E-mail)
Subject: RE: Inclusion of the issuer and serial number in authenticated
in formation


All,

I apologize for being fickle, but I agree with Blake's most excellent
argument that the "Signing Certificate Attribute" should only contain the
IssuerAndSerialNumber of the signer's cert and should not be a SEQUENCE OF
IssuerAndSerialNumber.  Once the app has obtained the signer's cert, it will
very probably include an authorityKeyIdentifier extension that includes the
IssuerAndSerialNumber of the issuer's cert, so the app can identify the
issuer's cert in that manner.  In summary, I agree with Jim's original
proposal.

================================
John Pawling   
jsp(_at_)jgvandyke(_dot_)com                             
J.G. Van Dyke & Associates, Inc.           
================================