John:
Regarding Jim's comment 7: In previous messages, I proposed changes to the
Section 6.1, EnvelopedData version-setting algorithm that address your
comments. I repeated the proposal today in my reply to Peter Gutmann's
message sent to the S/MIME mail list.
Regarding Jim's comment 11: In a previous reply to Jim (which he concurred
with), I proposed the following:
[John: I agree that a non-match is a critical security error. Propose that
the following sentence be added to Section 5.6 Message Signature
Verification Process as the last paragraph: "If the signedData signerInfo
includes signedAttributes and the content-type attribute value is different
from the signedData encapContentInfo eContentType value, then the CMS
implementation MUST report an error."
How about an additional paragraph that says: "If the SignedData signerInfo
includes signedAttributes, then the content-type attribute value MUST match
the SignedData encapContentInfo eContentType value."
Propose that the following sentence be added to Section 9.3 MAC Verification
as the last paragraph: "If the authenticatedData includes
authenticatedAttributes and the content-type attribute value is different
from the authenticatedData encapContentInfo eContentType value, then the CMS
implementation MUST report an error."]
To be parrallel, I propose a new paragraph in section 9.3 that says: "If
the AuthenticatedData includes authenticatedAttributes, then the
content-type attribute value MUST match the AuthenticatedData
encapContentInfo eContentType value."
Russ