My appologies if this has been mentioned already. I lost rather a lot of
mail from this list recently.
While looking through the certificate distribution specification
recently it occurred to me that it could, with minor extensions, be used
as a standard to allow email clients import or export their S/MIME
certificates and symmetric capabilities. Some clients use a
"certificates only" PKCS#7 signed data structure for this purpose
already but this does not include symmetric capabilities.
The changes required are:
1. More than one SignerInfo structure permitted: one for each user
represented.
2. The messageDigest signed attribute is ignored. This is only given a
default value anyway and by allowing any value it is possible to just
cut the PKCS#7 structure from an S/MIME signed message. The value is
irrelevant: its the digital signature on the signed attributes that is
important.
To use this format for export, a client would gather together the
valid SignerInfo structures for each user, package them in a PKCS#7
structure and add the necessary certificates (removing duplicates).
For import, a client would check the signature on the signed attributes
of each SignerInfo structure then add the valid capabilities to its
lists along with the necessary certificates.
Steve.
--
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant.
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson(_at_)drh-consultancy(_dot_)demon(_dot_)co(_dot_)uk
PGP key: via homepage.