ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: 'Signature Purpose' attribute?

1998-03-19 12:55:38
from [John Pawling] [Permanent Link] 
Dave,

You stated:

* contentReviewer - the signer did not originate the content, but is
   claiming to provide some value-added service to it.  Provides
   integrity, authentication, and non-repudiation of the claimed
   value-added purpose, but not non-repudiation of the content.
   Examples: virus scanning, release approval, timestamping, or
   adding a security label.


Please delete "or adding a security label" because the contentReviewer
cannot "add any value" by adding an eSSSecurityLabel authenticated attribute
to the original signedData object.  The contentReviewer is only allowed to
include an eSSSecurityLabel authenticated attribute in the signerInfo that
she signs if there was already an eSSSecurityLabel attribute present in the
signerInfo(s) already included in the original signedData object.
Furthermore, the eSSSecurityLabel attribute included in the
contentReviewer's signerInfo MUST be identical to the eSSSecurityLabel
attribute present in the signerInfo(s) already included in the original
signedData object.  Therefore, if the contentReviewer includes an
eSSSecurityLabel attribute in her signerInfo, she is not adding any value,
she is merely replicating the eSSSecurityLabel that already existed in the
signerInfo(s) included in the original signedData.  

This is true because the last para of ESS-04, sec 3.1.1 reads as follows:

"There can be multiple SignerInfos within a SignedData object, and each
SignerInfo may include authenticatedAttributes. Therefore, a single
SignedData object may include multiple eSSSecurityLabels, each SignerInfo
having an eSSSecurityLabel attribute. For example, an originator can send a
signed message with two SignerInfos, one containing a DSS signature, the
other containing an RSA signature. If any of the SignerInfos included in a
SignedData object include an eSSSecurityLabel attribute, then all of the
SignerInfos in that SignedData object MUST include an eSSSecurityLabel
attribute and the value of each MUST be identical."

  
================================
John Pawling   
jsp(_at_)jgvandyke(_dot_)com                             
J.G. Van Dyke & Associates, Inc.           
================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Inclusion of the issuer and serial number in authenticated in formation, John Pawling
Next by Date:  RE: 'Signature Purpose' attribute?, John Pawling
Previous by Thread:  RE: 'Signature Purpose' attribute?, Tim Dean
Next by Thread:  RE: 'Signature Purpose' attribute?, John Pawling
Indexes:  [Date] [Thread] [Top] [All Lists]