Russ Housley wrote:
Steve:
How do you know that the signature value being counter-signed has anything
to do with the content if you skip this step?
You don't: they could just be getting random data countersigned that
isn't the signature to anything.
If the client can't verify the original signature they can't rely on the
countersignature. At best it could see that the digital signature being
countersigned is a signature of "something" though not what it referred
to. It may or may not refer to some valid content.
A similar case could arise even if the countersigner does verify the
original content and it was for example corrupted in transit. In this
case the client could make the conclusion that some content was
countersigned they would just have no idea what it was.
IMHO the only real difference between the two is that without content
verification an arbitrary digest could be countersigned whereas with
content verification it would have to be a digest to some known content.
I'm not sure what additional tricks could be played with content
verification but without chain verification: since bogus certificate
chains with arbitrary public keys could be included.
In the case of a timestamp none of this matters.
IMHO there are serious practical, security and privacy issues involved
if content has to always be examined by the countersigner, particularly
in the case of a timestamping authority.
In this case the countersigning certificate may well (should?) contain
appropriate extensions to indicate that it is a timestamping authority.
Maybe something more explicit could be included? For example an
additional signed attribute in the countersignature to indicate that the
original content had been examined?
Steve.
--
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant.
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson(_at_)drh-consultancy(_dot_)demon(_dot_)co(_dot_)uk
PGP key: via homepage.