Bill,
1) Not sure about this, I'm on shakey ground. Is there a problem if the
message is not processed by any guards before arriving at the recipient?
This would be the case where the recipients security policy is "I don't
care". He would have to work his way down through the nesting until he got
to the level which contained the initial originators message. Would the
recipient actually do this? or would he expect the initial originators
message to be at the top level?
These are not problems if the receiving S/MIME SW is properly implementing
the ESS I-D. It will work its way through the layers.
No Nesting:
Pros:
1) Everything is at the top level (easily accessable).
And ambiguous.
Cons:
1) Don't know which signature to use. This is why the Signature Purpose
attribute was proposed. With the signatures tied into a purpose it can be
left up to site policy. (Dangerous words I think :-) ).
IMHO, the signaturePurpose attribute should not be used for access control
purposes. For example, what happens if every additional signer includes a
signaturePurpose indicating that she is the original signer???
When I hear nesting I start thinking lots of overhead. All that infomation
just to encapsulate a chunk of data. Whereas "sliding" another signature in
seems a lot neater, though I am curious as to how easy it would be to do this.
The layering of the signedData objects does add bytes to the wire, but the
price paid is well worth the benefit of ensuring that there are not
inconsistent or contradictory ESSSecurityLabels applied to the same content.
Mandating that all ESSSecurityLabels included in a single signedData must be
identical ensures that all ESSSecurityLabels applied to a content are
consistent. This ensures that there is no confusion regarding the
sensitivity of the content and that an access control decision can be made
in an unambiguous manner.
Therefore, I'm interested in which option would require least processing
both at the adding the third party signature and at the recipient ends
(assuming third party sigs. have not been stripped off before reaching the
end recipient).
Regarding this issue, I believe that the most important factor is making the
correct access control decision. Allowing multiple different security
labels applied to a content endanger that goal.
Bill.
_____________________________________________________________________
William Ottaway, Tel: +44 (0)1684 894079
DERA Malvern, Fax: +44 (0)1684 896113
St. Andrews Road, email:
w(_dot_)ottaway(_at_)eris(_dot_)dera(_dot_)gov(_dot_)uk
Malvern,
Worcs, WR14 3PS
UK