Dr Stephen Henson wrote:
I respectfully disagree with the idea that S/MIME supported algorithms
should be handled by PKIX for the reasons below.
According to my understanding the PKIX solutions involve a certificate
extension that is signed by an issuing authority.
A certificate does not list the algorithms supported by the recipient, only the
algorithm which that particular certificate can be used for.
There is an attribute (supportAlgorithms) defined in the ASN.1 module, but it's
not referenced in the specification in anyway. The attribute was include, I
believe, so that it could be put in a directory not carried in a certificate
(somebody tell me if I'm wrong), presumably in the subjectDirectoryAttributes
extension.
Maybe I'm not on the same wavelength, but I thought the user would need to know
in advance of sending a message what algorithms the recipient supports for
signature verification and encryption purposes. Do you want to define a
message that could be used by the originator to query the recipient about the
algorithms she supports? Or is the query directed at the directory? If the
query is aimed at the directory, I think it's already supported, the only thing
left to determine is what information should be in the directory to retrieve
the right certificate. This is being performed in the PKIX group see "Internet
X.509 Public Key Infrastructure LDAPv2 Schema",
draft-ietf-pkix-ldapv2-schema-00.txt.
..snip...
Cheers
--
Sean Turner - IECA, Inc.