ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: I-D ACTION:draft-ietf-smime-sigattr-01.txt

1998-07-08 07:32:06
from [Francois Rousseau] [Permanent Link] 
Jim,

I fully support the added ability to refer to Attribute Certificates in the
revised Signing Certificate Attribute. However, for the CertID type at Sec
5, you used the IssuerAndSerialNumber type, which is defined in Sec 10.2.4
of CMS as:

IssuerAndSerialNumber ::= SEQUENCE {
        issuer          Name,
        serialNumber    CertificateSerialNumber }

The IssuerAndSerialNumber type is adequate to identify a public key
certificate by the DN of the certificate issuer and an issuer-specific
certificate serial number. However, it will not be adequate for Attribute
Certificates since they use the GeneralNames type to identify the
certificate issuer instead on the Name type. As suggested in my previous
message on 29 May 1998, instead of the IssuerAndSerialNumber type, I
suggest that you use the following:

IssuerSerial ::= SEQUENCE {
        issuer          GeneralNames,
        serialNumber    CertificateSerialNumber }

Where fields of the IssuerSerial type would have the following meanings:

        The issuer is the name of the Authority that created the certificate.

        The serialNumber is the serial number that uniquely identifies the
certificate.

The issuer field can be used to identify the issuer of an attribute
certificate or a public key certificates since one of the possible
alternative under the GeneralNames type is the Name type. Note that Sec
4.2.1.7 of PKIX Part 1 provides more details on the GeneralNames type.

In addition, CMS distinguishes between signed/unsigned attributes, which
are only used in the SignerInfo object, and authenticated/unauthenticated
attributes, which are only used in the AuthenticatedData object. Because of
this, I suggest that the second sentence of Sec 1 should read:

"This draft addresses this issue by creating a new attribute to be placed
in the SignedAttributes section of a SignerInfo object."

In the same vein I suggest that the first four sentences of the last
paragraph of Sec 6 should read:

"If present, the SigningCertificate attribute MUST be a signed attribute;
it MUST NOT be an unsigned, an authenticated or an unauthenticated
attribute.  CMS defines SignedAttributes as a SET SIZE (1..MAX) OF
Attribute.  A SignerInfo MUST NOT include multiple instances of the
SigningCertificate attribute.  CMS defines the ASN.1 syntax for Attribute
to include attrValues SET OF AttributeValue."

Francois Rousseau
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Signing a SignedData object with RSA, Russ Housley
Next by Date:  Re: Signing a SignedData object with RSA, EKR
Previous by Thread:  I-D ACTION:draft-ietf-smime-sigattr-01.txt, Internet-Drafts
Next by Thread:  RE: I-D ACTION:draft-ietf-smime-sigattr-01.txt, Jim Schaad (Exchange)
Indexes:  [Date] [Thread] [Top] [All Lists]