I have to admit that I like this proposal for a couple of reasons. First it
makes the message shorter as the hash is almost certianally smaller than the
issuer/serial number. Secondly it removes duplicated information from the
certificate.
I originally proposed the issuer/serial number for two reasons. First this
is the currently accepted method of identifying a certificate. Second, it
makes the process of validating the correctness easier. A binary compare of
the issuer DNs and the serial numbers can be binary compared to validate the
certifiate. Using the hash requires that the certificate be present (so it
can be pre-validated by a gateway) and potentially adds a more complicated
computation (hashing the certificate) to validate the attribute.
I don't really have a strong preference about which way this should be done.
jim
-----Original Message-----
From: Dr Stephen Henson [mailto:shenson(_at_)bigfoot(_dot_)com]
Sent: Wednesday, May 13, 1998 7:30 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: SigningCertificate and IssuerAndSerialNumber.
While I feel that the principle of the specification is good I have to
admit that I have been swayed by the argument in favour of using
something other than IssuerAndSerialNumber to bind the signers
certificate.
One reason is that as things stand use of the signing certificate
attribute makes the "outer" issuerAndSerialNumber redundant. I feel that
something that complemented the outer issuerAndSerialNumber rather than
duplicated it would be preferable.
B. Open Issues
Some people have expressed a desire to solve the "Reissue
of Certificate" attack. I see no pressing need to address
this attack. Any certificate authority that allowed for
this attack is operating in an improper fashion and should
not be used. In the event that the attack is deemed to be
of importance, it could be solved by the addition of a
hash to the SigningCertificate ASN structure. This would
allow the relying entity to verify that the certificate
was exactly the same as the signing entity claimed to have
used.
I would respectfully suggest that if the SigningCertificate structure
contained a hash of the signers certificate (or some equivalent) the
IssuerAndSerialNumber structure would be redundant.
This prompts the question: why not make the SigningCertificate structure
consist wholly of the hash?
In addition the hash is likely to be more compact than the
issuerAndSerial number structure.
I agree that there is no pressing need to address the other attacks (a
rogue CA could do much nastier things invisibly) but if they can be
addressed (in addition to the original "Substitution Attack") this is no
bad thing IMHO.
Steve.
--
Dr Stephen N. Henson.
UK based freelance Cryptographic Consultant. For info see homepage.
Homepage: http://www.drh-consultancy.demon.co.uk/
Email: shenson(_at_)bigfoot(_dot_)com
PGP key: via homepage.