ietf-smime
[Top] [All Lists]

Re: Countersignature Attribute

1998-09-15 13:43:48
John:

Prior to getting this note, I took a stab at revisions to the same section of text.  I do not know how S/MIME v2 implementations handle countersignatures, but I took the opposite approach that you did.  I was trying to ensure that current implemntations would all conform.

Here is what I wrote:
A countersignature attribute can have multiple attribute values.  The syntax is defined as a SET OF AttributeValue, and there must be one or more instances of AttributeValue present.

The UnsignedAttributes syntax is defined as a SET OF Attributes.  The UnsignedAttributes in a signerInfo may include multiple instances of the countersignature attribute.

The fact that a countersignature is computed on a signature value means that the countersigning process need not know the original content input to the signing process.  This might have efficiency advantages, but it also has security disadvantages.  Therefore, countersigners must validate the signature value prior to signing it.  This validation requires processing of the original content.

A countersignature, since it has type SignerInfo, can itself contain a countersignature attribute.  Thus it is possible to construct arbitrarily long series of countersignatures.



Russ


At 11:56 AM 9/15/98 -0400, John Pawling wrote:
>Peter (and friends),
>
>I agree with your recommendation.  This results in a change to my comment to
>CMS-06 to read as follows:
>
>5) Sec 11.4, Countersignature: Please change as follows:
>
>OLD: "A countersignature attribute can have multiple attribute values."
>
>NEW: "The UnsignedAttributes syntax is defined as a SET OF Attribute. 
>The UnsignedAttributes in a signerInfo MUST NOT include multiple
>instances of the countersignature attribute.  The Attribute syntax defines
>attrValues as a SET OF AttributeValue.  A countersignature attribute
>MAY include one or more instances of AttributeValue.  There MUST NOT
>be zero instances of AttributeValue present in the attrValues SET
>OF AttributeValue."
>
>Does anybody disagree with this recommendation???
>
>- John Pawling
>
<Prev in Thread] Current Thread [Next in Thread>