Jim,
I agree that it should read differently, however see minor change below:
Given the addition of SKI to SignerInfo, the following change should be made
in section 5.4 of ESS.
First pargraph after ASN is:
The first certificate identified in the sequence of certificate identifiers
MUST be the certificate used to verify the signature. The encoding of the
ESSCertID for this certificate SHOULD NOT include the issuerSerial because
the issuerAndSerialNumber is already present in the SignerInfo. The
certificate identified is used during the signature verification process. If
the hash of the certificate does not match the certificate used to verify
the signature, the signature MUST be considered invalid.
Paragraph should be:
The first certificate identified in the sequence of certificate identifiers
MUST be the certificate used to verify the signature. The encoding of the
ESSCertID for this certificate SHOULD include the issuerSerial field. If
other constraints ensure that issuerAndSerialNumber will be present in the
SignerInfo, ESSCertID MAY be omitted. The certificate identified is used
during the signature verification process. If the hash of the certificate
does not match the certificate used to verify the signature, the signature
MUST be considered invalid.
Should it not read as follow instead:
The first certificate identified in the sequence of certificate identifiers
MUST be the certificate used to verify the signature. The encoding of the
ESSCertID for this certificate SHOULD include the issuerSerial field. If
other constraints ensure that issuerAndSerialNumber will be present in the
SignerInfo, the issuerSerial field MAY be omitted. The certificate
identified is used during the signature verification process. If the hash
of the certificate does not match the certificate used to verify the
signature, the signature MUST be considered invalid.
Francois Rousseau
AEPOS Technologies