All,
I agree with Russ that there are multiple interpretations of the original
PKCS#7 v1.5 text regarding Countersignature attributes:
1) There can be multiple Countersignature attributes present in a
signerInfo, but each Countersignature attribute can only contain a single
instance of the signerInfo syntax.
2) There can only be one Countersignature attribute present in a signerInfo,
but that single Countersignature attribute can contain multiple instances of
the signerInfo syntax.
3) There can be multiple Countersignature attributes present in a signerInfo
and each Countersignature attribute can contain multiple instances of the
signerInfo syntax.
CMS definitely needs to be clarified regarding this issue. It needs to
specify one of the above. I will re-iterate Russ' request for input from
the S/MIME v2 vendors. Did anybody implement countersignatures?? If so,
were there any implementors' agreements regarding this issue?? Will any of
these options break existing implementations??
================================
John Pawling, jsp(_at_)jgvandyke(_dot_)com
J.G. Van Dyke & Associates, Inc.
www.jgvandyke.com
================================
Note: I deleted all of the HTML characters included in Russ' original message:
At 10:37 AM 8/28/98 -0400, Russ Housley wrote:
S/MIME Implementors:
See the comment from John Pawling below.
I agree that the text is not clear. Looking back at the
original PKCS#7 v1.5 text, there is no insight to be found. So, I
would like to hear from implementors, especially S/MIME v2
implementors. How is this handled?
<
Another interpreation of the PKCS#7 v1.5 text is:
A countersignature attribute can have multiple attribute
values. The syntax is defined as a SET OF AttributeValue, and there
must be one or more instances of AttributeValue present.
The UnsignedAttributes syntax is defined as a SET OF
Attributes. The UnsignedAttributes in a signerInfo may include
multiple instances of the countersignature attribute.
Russ
At 10:39 AM 8/4/98 -0400, John Pawling wrote:
5) Sec 11.4, Countersignature: Please change as follows:
OLD: "A countersignature attribute can have multiple attribute values."
NEW: "The UnsignedAttributes syntax is defined as a SET OF Attributes.
The UnsignedAttributes in a signerInfo MAY include multiple instances
of the countersignature attribute. The Attribute syntax defines
attrValues as a SET OF AttributeValue. A countersignature attribute
MUST only include a single instance of AttributeValue. There MUST NOT
be zero or multiple instances of AttributeValue present in the
attrValues SET OF AttributeValue."