Russ,
Thanks for the clarification on the reason why it was added. I believe we
still have scope for extending this to a more useable form and bundling the
changes together.
My developers complained like hell when they first encountered
IssuerAndSerialNumber as it's a complete nightmare when working with
subjectName based repositories. Using SubjectAndKeyIdentifier would allow very
easy location of certs whether they were in the received SignedData or not.
Regards,
Darren
-------------------------------------------------------------
Darren Harter BSc Hons MBCS CEng
CASM Technical Architect
CASM Programme Office
CESG
Work: dharter(_at_)cesg(_dot_)gov(_dot_)uk
Home: Darren(_dot_)Harter(_at_)bcs(_dot_)org(_dot_)uk
Russ Housley <housley(_at_)spyrus(_dot_)com> 12/16/98 06:50pm >>>
Darren:
The reasonf or the chane is CMC support. In this case, the signer does not
have a certificate yet. The point of the message is a certificate request.
So, the signer does not have a issuer/serial number pair. This change
lets CMC use the SignerInfo.
The reason for the MSG document change is to mangate the use of a
issuer/serial number pair with S/MIME v3.
Russ
At 04:35 PM 12/10/98 +0000, Darren Harter wrote:
Russ,
Sorry if this is a no brainer. I couldn't make the meeting this time, so
what I'm about to ask may have come up in discussion in the WG session. As
we've taken this opportunity to modify SignerInfo, would it not be a good
time to add a field that may simplify the identification of the signer's
certificate even more.
First of all let me confirm that I think it is good that the
subjectKeyIdentifier has been added. My concern is that I'm going to have
to do a lot of work to find such a certificate in a simple repository that
doesn't have good matching rule support.
I propose that we instead have the following structure:
SignerIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier,
subjectAndKeyIdentifier [1] SubjectAndKeyIdentifier }
where,
SubjectAndKeyIdentifer ::= SEQUENCE {
subjectName Name,
subjectKeyIdentifier [0] SubjectKeyIdentifier OPTIONAL }
This will allow simple subject name look-up should an application wish to do
that. Your proposed words for the MSG spec would still stand unaltered.
Regards,
Darren
-------------------------------------------------------------
Darren Harter BSc Hons MBCS CEng
CASM Technical Architect
CASM Programme Office
CESG
Work: dharter(_at_)cesg(_dot_)gov(_dot_)uk
Home: Darren(_dot_)Harter(_at_)bcs(_dot_)org(_dot_)uk