ietf-smime
[Top] [All Lists]

Re: Signed Label (was RE: 'Signature Purpose' attribute?)

1998-04-09 16:44:37
Chris,

I still respectfully disagree with your proposal.  I admit that the layering
of the signedData objects does add bytes to the wire, but the price paid is
well worth the benefit of ensuring that there are not inconsistent or
contradictory ESSSecurityLabels applied to the same content.  Mandating that
all ESSSecurityLabels included in a single signedData must be identical
ensures that all ESSSecurityLabels applied to a content are consistent.
This ensures that there is no confusion regarding the sensitivity of the
content and that an access control decision can be made in an unambiguous
manner.

================================
John Pawling, jsp(_at_)jgvandyke(_dot_)com                             
J.G. Van Dyke & Associates, Inc.   
www.jgvandyke.com         
================================

At 11:16 PM 3/27/98 -0500, Bonatti, Chris wrote:
John,

   This is a GROSSLY inefficient means of addressing this requirement.  In
the common case where both labels are applied by the originating user, this
means double signature generation operations, double signature verification
operations, plus a bunch of extra attribute and ASN.1 overhead.  All that is
required to address this is either: