[Top] [All Lists]

Certificate distribution specification suggestions.

1998-08-19 10:31:40
My appologies if this has been mentioned already. I lost rather a lot of
mail from this list recently.

While looking through the certificate distribution specification
recently it occurred to me that it could, with minor extensions, be used
as a standard to allow email clients import or export their S/MIME
certificates and symmetric capabilities. Some clients use a
"certificates only" PKCS#7 signed data structure for this purpose
already but this does not include symmetric capabilities.

The changes required are:

1. More than one SignerInfo structure permitted: one for each user
2. The messageDigest signed attribute is ignored. This is only given a
default value anyway and by allowing any value it is possible to just
cut the PKCS#7 structure from an S/MIME signed message. The value is
irrelevant: its the digital signature on the signed attributes that is

To use this format for export, a client would gather together the
valid SignerInfo structures for each user, package them in a PKCS#7
structure and add the necessary certificates (removing duplicates).

For import, a client would check the signature on the signed attributes
of each SignerInfo structure then add the valid capabilities to its
lists along with the necessary certificates.

Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at
Email: shenson(_at_)drh-consultancy(_dot_)demon(_dot_)co(_dot_)uk
PGP key: via homepage.

<Prev in Thread] Current Thread [Next in Thread>
  • Certificate distribution specification suggestions., Dr Stephen Henson <=