Denis brought this up in the IETF meeting last week, and said no one had
commented on it. So I've re-read his message and my comment is that this is
a non-issue.
At 03:43 PM 7/15/98 -0700, Denis Pinkas wrote:
On page 10, the text says ? The input to the signature validation
process includes the result of the message digest calculation process
and the signer?s public key?. This is not sufficient in order to give
the same and relaible result between two different implementations. The
knowledge of the certificate of the signer as well as the time of the
signature are both important. If there is an ambiguity on one or the
other component then the end-result can be different.
You appear to be confusing signature validation with certificate
validation. A signature can be perfectly valid even if a certificate that
contains the public key used in that signature is revoked. Signature
validation as described in CMS doesn't involve following cert chains or
checking revocation, nor should it.
For a concrete example of this, imagine that I get a cert on my public key
from CA(x) with an expiration date of two years. After a year, CA(x) asks
for more money, and I refuse. In retribution, they revoke my certificate. I
take the same public key to CA(y), who signs it. A message that was signed
with my private key before the revocation is checked after the revocation
time. No certs are included in the message, but the recipient has cached
previous certs of mine, as specified in S/MIME. Depending on the
certificates the recipient uses, this will come back as "valid signature
and non-revoked cert", "valid signature but revoked cert" or possibly
"valid signature and mixed signals on cert status due to multiple certs
with different revocation status". But, in each case, the signature is
still valid.
Thus, I see no reason to change CMS in the ways you describe.
--Paul Hoffman, Director
--Internet Mail Consortium