ietf-smime
[Top] [All Lists]

Re: Countersignature Attribute

1998-09-17 04:45:33
Steve:

How do you know that the signature value being counter-signed has anything
to do with the content if you skip this step?

I agree that the signer cert path does not need to be validated to ensure
that the appropraite binding...

Russ

At 10:55 PM 9/15/98 +0100, Dr Stephen Henson wrote:
Russ Housley wrote:

     The fact that a countersignature is computed on a signature value
     means that the countersigning process need not know the original
     content input to the signing process.  This might have efficiency
     advantages, but it also has security disadvantages.  Therefore,
     countersigners must validate the signature value prior to signing
     it.  This validation requires processing of the original content.


I respectfully disagree that it should be made mandatory for a
countersigner to process the original content. IMHO it should depend on
the purpose of the countersignature which is itself related to the
policy of the signing authority.

In particular take the example of a trusted timestamp. The purpose of
such a countersignature is simply to state that a a given signature
existed at a given time. It says absolutely nothing about the content
being signed. It has a definite and valuable purpose for nonrepudiation.

It can for example show that a document was signed during the validity
period of the signer's certificate and is thus useful fot archiving
purposes and others related to software publishing.

In for example a large and confidential document a client would simply
pass its digital signature to the timestamper. If the content needs to
be analysed then large amounts of possibly confidential data would need
to be passed to the timestamper. This is undesirable both in terms of
security and increased load on the countersigner.

Of course if the countersignature is to have some additional value then
having access to the content does become important.

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson(_at_)drh-consultancy(_dot_)demon(_dot_)co(_dot_)uk
PGP key: via homepage.


<Prev in Thread] Current Thread [Next in Thread>