Russ,
Sorry if this is a no brainer. I couldn't make the meeting this time, so what
I'm about to ask may have come up in discussion in the WG session. As we've
taken this opportunity to modify SignerInfo, would it not be a good time to add
a field that may simplify the identification of the signer's certificate even
more.
First of all let me confirm that I think it is good that the
subjectKeyIdentifier has been added. My concern is that I'm going to have to
do a lot of work to find such a certificate in a simple repository that doesn't
have good matching rule support.
I propose that we instead have the following structure:
SignerIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier,
subjectAndKeyIdentifier [1] SubjectAndKeyIdentifier }
where,
SubjectAndKeyIdentifer ::= SEQUENCE {
subjectName Name,
subjectKeyIdentifier [0] SubjectKeyIdentifier OPTIONAL }
This will allow simple subject name look-up should an application wish to do
that. Your proposed words for the MSG spec would still stand unaltered.
Regards,
Darren
-------------------------------------------------------------
Darren Harter BSc Hons MBCS CEng
CASM Technical Architect
CASM Programme Office
CESG
Work: dharter(_at_)cesg(_dot_)gov(_dot_)uk
Home: Darren(_dot_)Harter(_at_)bcs(_dot_)org(_dot_)uk