All,
Once again I believe that Paul has done a brilliant job of incorporating the
comments into ESS that have received the concurrence of the WG. I have a
few minor comment regarding ESS-08:
1) Sec 5, 4th para: Please replace "policies" with "certificate policies" to
distinguish between security policies (discussed in ESS Section 3) and
certificate policies (discussed in Sec 5). This results in the following
changes:
OLD: "Explicit policies can also be used as part of a signature verification
process. If a signer desires to state an explicit policy that should be used
validating the signature, that policy needs to be cryptographically bound
into the signing process. The methods described in this section allows for a
set of policy statements to be listed as part of the signing certificate
attribute."
NEW: "Explicit certificate policies can also be used as part of a signature
verification process. If a signer desires to state an explicit certificate
policy that should be used when validating the signature, that policy needs
to be cryptographically bound into the signing process. The methods
described in this section allows for a set of certificate policy statements
to be listed as part of the signing certificate attribute."
2) Sec 5.1.1, 1rst para, last sent: Please change as follows:
OLD: "This new certificate is used the signature verification process."
NEW: "This new certificate is used during the signature verification process."
3) Sec 5.2.2, 2nd para: Please change as follows because there is already a
sequence of CertIDs in the attribute:
OLD: "Preventing the attack based on reissuing of CA certificates would
require a substantial change the attribute presented in section 5.4. It
would require that a sequence of certificate identifiers be included in the
attribute."
NEW: "Preventing the attack based on reissuing of CA certificates would
require a substantial change to the usage of the signingCertificate
attribute presented in section 5.4. It would require that CertIDs would
need to be included in the attribute to represent the issuer certificates in
the signer's certification path."
4) Sec 5.4, Please change as follows:
OLD: "The following object identifier identifies the encrypted-data content
type:"
NEW: "The following object identifier identifies the signingCertificate
attribute:"
5) Sec 5.4, 3rd para, 2nd sent: Please change as follows:
OLD: "The encoding of the CertID for this certificate SHOULD NOT include the
issuerAndSerialNumber because the issuerAndSerialNumber is already present
in the SignerInfo."
NEW: "The encoding of the CertID for this certificate SHOULD NOT include the
issuerSerial because the issuerAndSerialNumber is already present in the
SignerInfo."
6) Sec 5.4, 3rd para, last sent: Please change as follows:
OLD: "If the hash of the certificate does not match the certificate used to
decode the signature, the signature MUST be considered invalid."
NEW: "If the hash of the certificate does not match the certificate used to
verify the signature, the signature MUST be considered invalid."
7) Sec 5.4, 4th para, 2nd sent: Please change as follows:
OLD: "The issuerAndSerialNumber SHOULD be present in these certificates,
unless the client who is validating the signature is expected to have easy
access to all the certificates required for validation."
NEW: "The issuerSerial SHOULD be present in these certificates, unless the
client who is validating the signature is expected to have easy access to
all the certificates required for validation."
8) Sec 5.4,.1, 1rst para, last sent: Please change as follows:
OLD: "A hash of the entire certificate serves the same function (allowing
the receiver to very the same certificate is being used), is smaller and
permits a detection of the simple substitution attacks."
NEW: "A hash of the entire certificate serves the same function (allowing
the receiver to verify that the same certificate is being used as when the
message was signed), is smaller and permits a detection of the simple
substitution attacks."
9) Appendix A: Please add the CertID and SigningCertificate attribute
syntaxes to the ASN.1 module.
10) Appendix A: Please add an import of PolicyInformation from the PKIX
Certificate and CRL Profile, Sec A.2 Implicitly Tagged Module, 1988 Syntax,
PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit-88(2)}
======================================================
John Pawling jsp(_at_)jgvandyke(_dot_)com
J.G. Van Dyke & Associates, Inc. www.jgvandyke.com
======================================================