In reviewing some requirements that are coming from external companies on
our product requirements and I found the following problem.
It turns out that not everybody is up to the point of using attribute
certificates for assigning authorizations. This information is being
carried in normal authentication certificates and ususally in an encryption
certificate rather than the signing certificate. This means that we need to
allow more than attribute certificates in the last portion of the list.
Replace Section 5.4 paragraph 4 with the following:
If more than one certificate is present in the sequence of ESSCertIDs, the
certificates after the first one limit the set of authorization certificates
that are used during signature validation. Authorization certificates can be
both attribute certificates and normal certificates. The issuerSerial SHOULD
be
present in these certificates, unless the client who is validating the
signature is expected to have easy access to all the certificates required
for validation. If only the signing certificate is present in the sequence.
there are no restrictions on the set of authorization certificates used in
validating the signature.
jim