ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: I-D ACTION:draft-ietf-smime-sigattr-01.txt

1998-07-08 12:03:28
from [Jim Schaad (Exchange)] [Permanent Link] 
This is what I get for not completely understanding attribute
certificates yet.  I will make the change from IssuerAndSerialNumber to
using a GeneralName on the issuer.

jim


-----Original Message-----
From: Francois Rousseau [mailto:f(_dot_)rousseau(_at_)adga(_dot_)ca]
Sent: Wednesday, July 08, 1998 7:29 AM
To: Jim Schaad (Exchange)
Cc: ietf-smime(_at_)imc(_dot_)org
Subject: Re: I-D ACTION:draft-ietf-smime-sigattr-01.txt


Jim,

I fully support the added ability to refer to Attribute 
Certificates in the
revised Signing Certificate Attribute. However, for the 
CertID type at Sec
5, you used the IssuerAndSerialNumber type, which is defined 
in Sec 10.2.4
of CMS as:

IssuerAndSerialNumber ::= SEQUENCE {
      issuer          Name,
      serialNumber    CertificateSerialNumber }

The IssuerAndSerialNumber type is adequate to identify a public key
certificate by the DN of the certificate issuer and an issuer-specific
certificate serial number. However, it will not be adequate 
for Attribute
Certificates since they use the GeneralNames type to identify the
certificate issuer instead on the Name type. As suggested in 
my previous
message on 29 May 1998, instead of the IssuerAndSerialNumber type, I
suggest that you use the following:

IssuerSerial ::= SEQUENCE {
      issuer          GeneralNames,
      serialNumber    CertificateSerialNumber }

Where fields of the IssuerSerial type would have the 
following meanings:

      The issuer is the name of the Authority that created 
the certificate.

      The serialNumber is the serial number that uniquely 
identifies the
certificate.

The issuer field can be used to identify the issuer of an attribute
certificate or a public key certificates since one of the possible
alternative under the GeneralNames type is the Name type. 
Note that Sec
4.2.1.7 of PKIX Part 1 provides more details on the GeneralNames type.

In addition, CMS distinguishes between signed/unsigned 
attributes, which
are only used in the SignerInfo object, and 
authenticated/unauthenticated
attributes, which are only used in the AuthenticatedData 
object. Because of
this, I suggest that the second sentence of Sec 1 should read:

"This draft addresses this issue by creating a new attribute 
to be placed
in the SignedAttributes section of a SignerInfo object."

In the same vein I suggest that the first four sentences of the last
paragraph of Sec 6 should read:

"If present, the SigningCertificate attribute MUST be a 
signed attribute;
it MUST NOT be an unsigned, an authenticated or an unauthenticated
attribute.  CMS defines SignedAttributes as a SET SIZE (1..MAX) OF
Attribute.  A SignerInfo MUST NOT include multiple instances of the
SigningCertificate attribute.  CMS defines the ASN.1 syntax 
for Attribute
to include attrValues SET OF AttributeValue."

Francois Rousseau
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Signing a SignedData object with RSA, EKR
Next by Date:  RE: Signing a SignedData object with RSA, Blake Ramsdell
Previous by Thread:  Re: I-D ACTION:draft-ietf-smime-sigattr-01.txt, Francois Rousseau
Next by Thread:  I-D ACTION:draft-ietf-smime-certdist-01.txt, Internet-Drafts
Indexes:  [Date] [Thread] [Top] [All Lists]