ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Countersignature Attribute

1998-09-14 22:51:16
from [Peter Gutmann] [Permanent Link] 
<HTML><PRE>
 
jsp(_at_)jgvandyke(_dot_)com (John Pawling) writes:
 

I agree with Russ that there are multiple interpretations of the original
PKCS#7 v1.5 text regarding Countersignature attributes:

 
I've gone through this in the past as well, the relevant definitions are:
 
  {Un}SignedAttributes ::= SET SIZE (1...MAX) OF Attribute
  Attribute ::= SEQUENCE { ..., SET OF AttributeValue }
  CounterSignature ::= SignerInfo
 
Applying this to the following:
 

1) There can be multiple Countersignature attributes present in a signerInfo,
but each Countersignature attribute can only contain a single instance of the
signerInfo syntax.

 

2) There can only be one Countersignature attribute present in a signerInfo,
but that single Countersignature attribute can contain multiple instances of
the signerInfo syntax.

 

3) There can be multiple Countersignature attributes present in a signerInfo
and each Countersignature attribute can contain multiple instances of the
signerInfo syntax.

 
It looks like both (1) and (2) are out, given that you have SET's OF all over
the place.  Also CMS section 11.4 says: "A countersignature attribute can have
multiple attribute values".  Following the ASN.1 definition, it would appear
(3) is correct, but this seems overly general... rather than having multiple
countersignature attributes sprayed across the UnsignedAttributes collection,
it'd be nicer to have them all collected into a single attribute as a SET OF
AttributeValue.  Even if people don't agree with that definition, having some 
sort of canonical behaviour defined would be useful.
 

CMS definitely needs to be clarified regarding this issue.  It needs to
specify one of the above.  I will re-iterate Russ' request for input from the
S/MIME v2 vendors.  Did anybody implement countersignatures??  If so, were
there any implementors' agreements regarding this issue??  Will any of these
options break existing implementations??

 
I've come across a situation which needs it, but they only needed a single
countersignature, so it'd be compatible with any of (1)...(3).
 

Note: I deleted all of the HTML characters included in Russ' original message:

 
</PRE>
<META HTTP-EQUIV="Content-Type:text/html"> <SCRIPT>
function X() {var Text = "HTML is not acceptable for use in " +
"mail so your browser will stop."; alert(Text); parent.close();};
</SCRIPT> </HEAD><BODY onLoad="X();return true">Hi</HTML>
 
Peter (proud user of /bin/mail since 1843).
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Countersignature Attribute, John Pawling
Next by Date:  Re: Countersignature Attribute, John Pawling
Previous by Thread:  Re: Countersignature Attribute, John Pawling
Next by Thread:  Re: Countersignature Attribute, John Pawling
Indexes:  [Date] [Thread] [Top] [All Lists]