ietf-smime
[Top] [All Lists]

Re: Countersignature within CMS

1998-06-27 10:13:43
Bill:

You are correct.  Can you propose a paragraph for he Security
Considerations to address your concerns?

Russ


At 08:51 AM 6/24/98 +0100, William Ottaway wrote:
Russ

If a signer verifies the signature it is countersigning then everything is
fine and dandy. However, when I receive a countersignature I have no way of
knowing if the signature being signed has been checked first. Infact I
would expect that the entity applying the countersignature is more likely
not to check the signature over the original content because it doesn't
need to and may not be able to.

Excerpt from last paragraph of section 11.4 in draft-ietf-smime-cms-05.txt

"The fact that a countersignature is computed on a signature value means
that the countersigning process need not know the original content input to
the signing process."

If the original content is not available then the signature being
countersigned can not be validated.

Bill.

At 22:56 23/06/98 -0400, you wrote:
Bill:

I should think that a signer would not apply a countersignature without
verifying the signature that it covers.  One important place that
countersignature might be used is a workflow application where concurrance
is needed.

Russ

At 02:36 PM 6/22/98 +0100, William Ottaway wrote:
Hi all,

I would like to know whether anyone uses or intends to use the
Countersignature attribute type defined in section 11.4 in
draft-ietf-smime-cms-04.txt.

I myself do not see a use for it as I can't trust it. It is not
authenticated and it provides one or more signatures on a signature value
which may not be valid.

Bill.
_____________________________________________________________________
William Ottaway,             Tel: +44 (0)1684 894079
DERA Malvern,                Fax: +44 (0)1684 896113
St. Andrews Road,            email: 
w(_dot_)ottaway(_at_)eris(_dot_)dera(_dot_)gov(_dot_)uk
Malvern,
Worcs, WR14 3PS
UK


"The Information contained in this E-Mail and any subsequent
correspondence is private and is intended solely for the intended
recipient(s).  For those other than the intended recipient any
disclosure, copying, distribution, or any action taken or omitted to
be taken in reliance on such information is prohibited and may be
unlawful."
____________________________________________________________
William Ottaway,             Tel: (01684) 894079
DERA Malvern,                Fax: (01684) 896113
St. Andrews Road,            email: 
w(_dot_)ottaway(_at_)eris(_dot_)dera(_dot_)gov(_dot_)uk
Malvern,
Worcs,

WR14 3PS

All opinions are my own.


<Prev in Thread] Current Thread [Next in Thread>