ietf-smime
[Top] [All Lists]

Re: Finding and retrieving applicable Attribute Certificate(s)

1998-05-07 06:42:00
Russ Housley wrote:

At 12:06 PM 5/5/98 -0400, Francois Rousseau wrote:
Yes storing Attribute Certificates in the signedData certificates field
will avoid the redundancy of having them repeated in each signer
signerInfo. However, the signerInfo issuerAndSerialNumber field is NOT
meant to help find the correct AC as suggested. It is meant to specify
which signer's public key to use to verify the digital signature on the
signedData eContent field.

Agree, issuerAndSerialNumber is meant to identify the signature certificate
containing the signer's public key.  The attribute certificate (AC)
contains the same issuer and serial number field (or subject distinguished
name) linking it to the signature certificate.

So when AC's are included in the signedData
certificates CertificateSet, the receiving software can NOT still be sure
to find the correct AC.

Zero or more ACs may be needed.  Zero is the easy case, but multiple AC
(potentially issued by different authorities) may bee needed in some context.

It is even worst when AC's are NOT included in the
signedData certificates CertificateSet to minimize the size of
transactions, although AC's have been used with the signing process to
provide an authorization service. The receiving software than has no means
to know that AC's were used, and to find and retrieve the applicable AC
during the later verification.

The recipient will determine which ACs are needed from the context.  The
recipient can readiy determine which ACs are linked to the signer's
signature certificate (as discussed above).

It is recommended that a new CMSAttribute be added in the signerInfo
authenticatedAttributes field to let the receiving software know that AC's
were used along the signing process, and to help it find and retrieve the
applicable AC for the later verification.

Given the linkage that is already present, why is this needed?

I believe the reason is simple: The signer may have multiple ACs. It is
up to the signer to indicate which ones he is wishing the recipient to
use. The recipient should only be allowed to use what is possible within
the choice of the signer.

Denis

Russ

-- 
      Denis Pinkas     Bull S.A.          
mailto:Denis(_dot_)Pinkas(_at_)bull(_dot_)net
      Rue Jean Jaures  B.P. 68            Phone : 33 - 1 30 80 34 87
      78340 Les Clayes sous Bois. FRANCE   Fax  : 33 - 1 30 80 33 21