From: jsp(_at_)jgvandyke(_dot_)com (John Pawling)
The contentReviewer is only allowed to
include an eSSSecurityLabel authenticated attribute in the signerInfo that
she signs if there was already an eSSSecurityLabel attribute present in the
signerInfo(s) already included in the original signedData object.
John,
It was just an example, but thanks for pointing out the restrictions on
eSSSecurityLabel. I can think of three rebuttals:
1) the above quoted sentence isn't necessarily true in all cases, because
a security gateway could take a message (either signed or plain old email)
and wrap it in a new signedData.
2) eSSSecurityLabel is defined in the ESS document, whereas signaturePurpose
has been proposed for inclusion in CMS. CMS may be used in non-S/MIME
applications which have different compliance requirements than S/MIME and
which do not refer to ESS at all.
3) I like the text in ESS as it stands now, but there may be suggestions
to modify the syntax and operation of eSSSecurityLabel to accommodate other
requirements. If ESS were changed, the example might apply.
dpk