ietf-smime
[Top] [All Lists]

Re: SignatureAlgorithmIdentifiers

1998-07-09 15:54:11
"Blake Ramsdell" <blake(_dot_)ramsdell(_at_)worldtalk(_dot_)com> writes:

OK, now for something controversial (well, maybe it isn't).  Object
identifiers.

There is currently a field in the SignerInfo structure called
signatureAlgorithm which is of type SignatureAlgorithmIdentifier.  This
was called digestEncryptionAlgorithm and was of type
DigestEncryptionAlgorithmIdentifier in PKCS #7 v1.5 (RFC 2315).  It was
renamed because DSA is not technically an encryption of a digest which
was implied by the old name.  In any case, in S/MIME v2 which used PKCS
#7 v1.5, this field always contained the OID "rsaEncryption" defined
under PKCS #1.

It has been suggested through various non-list channels that the
semantics of this field be changed to be the complete signature
algorithm.  That is, the OID that combines the digest algorithm with the
method by which the digest is protected.  For instance,
md2WithRSAEncryption, md5WithRSAEncryption, sha-1WithRSAEncryption, and
id-dsa-with-sha1 instead of the currently specified values of
rsaEncryption and id-dsa.
I agree that dsa should be id-dsa-with-sha-1 for security reasons.

I do not, however, agree that we should use fooWithRSAEncryption.
It doesn't provide any obvious benefit that I can see, and
(as noted) has negative backwards compatibility consequences.
Moroever, it leaves open the question of what to do if the
OID in the SignatureAlgorithm doesn't match the OID in the
digestAlgorithm field.

-Ekr

-- 
[Eric Rescorla                             Terisa Systems, Inc.]
                "Put it in the top slot."