[Top] [All Lists]

Re: Reducing signature sizes.

1998-04-08 11:18:30
I absolutely agree.

I'm working away from the office, and my connectivity is limited or 
else I would check the CMP and PKIX Part 1-7 draft.  

Obviously S/MIME has to put the location of the certificate 
somewhere associated with the digital signature, and I would suggest CMP,
in hopes that other protocols will use the same mechanism.

However, we also need the same mechanism, using precisely
the same attribute syntax and OID, within the certificate itself,
just as CRLDistributionPoint was provided.

Unless this has crept in while I wasn't looking, I'd suggest that you,
David, reprise this discusssion on both the PKIX and Federal PKI
list, and that we try to define and adopt such an attribute as quickly as

I'm not in as much of a hurry to gt this in S/MIME as I am to include it in

What would the syntax of the URI look like for an LDAP query?
The others I know.


From: Dr Stephen Henson <shenson(_at_)bigfoot(_dot_)com>

In the minimal case the user's certificate will not be provided. Also
since some of the CA's include the large disclaimers in the user
certificate this wont always help.

I agree with Steve.  The issuer name and serial number contained in
SignerInfo is sufficient to retrieve the user's certificate from
a repository.  If there were a global repository nothing more would
be needed.  However, there isn't.

It would be useful to define an S/MIME "subjectCertRepository"
attribute: a URI with syntax IA5String (as used in GeneralName).
This attribute, along with issuer/serial and a suitable amount of
handwaving would allow the user's cert to be retrieved using
LDAP, ftp, http, etc.

<Prev in Thread] Current Thread [Next in Thread>