There has been some debate as to whether a countersigner should always
verify the original content of a message. IMHO there are compelling
reasons for not enforcing this which I'll mention below.
I'm not saying that a countersigner cannot verify the original content
just that it should not be forced to do so.
One form of countersigner is a trusted timestamping authority. Its
purpose is solely to demonstrate that a signature existed at a certain
time. As has been mentioned before, such a signature has an essential
puropose for nonrepudiation.
In addition it can be used to demonstrate the validity of a signature
after the certificates have expired: for example if CMS is used for code
signing. The alternative would be for software signatures to become
invalid after their certificate has expired (and they would typically
stop working) this is clearly unacceptable. The trusted timestamp could
cover several hundred Mb of data (for example an MPEG file).
Current systems of timestamping (for example the Verisign authority)
allow a request to be sent in plain text using HTTP. The request
includes just the SignatureValue portion of a SignerInfo structure. The
returned data is usable as a counterSignature attribute to establish the
signing time of the message.
In this case no attempt is made to verify the original content because
this is not necessary: no statement is being made by the timestamper
about the original content.
If the original content must be verified even for a timestamp then this
has several consequences.
1. Volume of data.
Potentially very large amounts of data would need to be passed to a
countersigner. This would make it impracticable to use over dial up
lines for example.
2. Security issues.
Currently only the digital signature is sent in plain text over http. If
the content needs to be verified as well, then potentially sensitive
data would need to be passed over insecure networks. This would
necessitate the use of some secure means of transferring the data such
as S/MIME envelopedData or SSL. Encryption laws in some countries would
mean that only inadequate weak encryption could be used for such
purposes. In some countries encryption would not be permitted at all.
3. Privacy issues.
If the content needs to be verified then the timestamper needs to be
sent a copy of the original content. The potential for abuse is
considerable. I for one would be very reluctant to send copies of all my
signed mail to a timestamping authority.
Steve.
--
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant.
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson(_at_)drh-consultancy(_dot_)demon(_dot_)co(_dot_)uk
PGP key: via homepage.