Hi,
I'm new to this list so bear with me if these questions have already been
asked (and answered).
I'm looking to implement a semi-capable S/MIME client that only takes care
of signing and not encrypting.
My questions are regarding multipart/signed. I have bumped into a problem
interpreting what the content to be signed is. In the RFC's it states how
to canonicalize, but I can't seem to find any information on what data to
sign (both signing a simple MIME entity, and signing a multipart MIME entity).
Signing a simple MIME entity:
Is all data including the last CRLF signed until reaching the boundary?
Or is the "middle" boundary included?
Signing s MIME multipart/* entity:
Is all data including the last CRLF signed until reaching the "middle"
boundary of the multipart signed message?
Or is the "middle" boundary included?
Or do we only sign data including the "end" boundary for the multipart
being signed?
Is there anywhere where the rules for what data to sign is stated clearly?
Still I don't seem to be the only one with this problem. I've run three
different clients; Outlook Express 5.0, Netscape Messanger 4.72 and Openssl
0.9.5a. Even these clients seem to have problems interpreting what data
should be signed. OE and NM seem to agree on how to do things. Openssl can
verify almost all messages from OE and NM but not all. OE has problems
verifying messages from openssl.
I find openssl 0.9.5 on the RSA's list of interoperable S/MIME
implementations??? I don't find any recent Microsoft or Netscape products
on this list.
On the RSA site it points to the Entrust autoresponder for testing. This
site does not seem to be up and running. Is there any other way to test
that one follows the specification(s)?
Thanks!
/Peter