It occurs to me that I may want to just assert(use) one of my
attribute certificates in a transaction, rather than all of them.
So I think we need to identify which ACs to use, and whether
the attribute to do this is authenticated or not.
Regards,
Rich
----------
From: David P. Kemp <dpkemp(_at_)missi(_dot_)ncsc(_dot_)mil>
To: ietf-smime(_at_)imc(_dot_)org
Subject: Re: Finding and retrieving applicable Attribute Certificate(s)
Date: Wednesday, May 06, 1998 3:05 PM
From: Francois Rousseau <f(_dot_)rousseau(_at_)adga(_dot_)ca>
This
implies that the signedInfo issuerAndSerialNumber field can NOT
uniquely
identify both the public key certificate and the AC for each
originator.
Either I am completely confused about the point you are trying to make,
or you are confused about the difference between an attribute authority
and the subject of an attribute certificate.
To clarify:
* a public key certificate is issued and signed by a CA.
* one or more attribute certificates are issued and signed by one or
more AAs, which in general are different from the CA.
* each AC refers to one or more base public key certificates
(the "subject") which, as you point out, can be referred to using
either a baseCertificateID or a subjectName.
* the CMS SignerInfo issuerAndSerialNumber field refers to one public
key certificate.
Therefore, since the issuerAndSerialNumber field refers to one public key
certificate, and all ACs have a subject (public key certificate),
then the issuerAndSerialNumber field uniquely determines both the
signer and all ACs which apply to the signer.