[Top] [All Lists]

Re: rfc2534 and multiple signing certificate attributes

2001-08-14 16:54:47


You are referring to ESS, RFC 2634, right?

In some cases, signatures are serial. In this case, a countersignature that contains the current Signing Certificate Attribute is sufficient.

In other cases, signatures are parallel. I think that your comments apply to this situation. Here, multiple signer info structures are present, each with it's own Signing Certificate Attribute. You are looking for a way to bind two or more signer info structures together. Am I understanding your concern correctly?


At 05:49 PM 8/10/2001 +0200, Peter Sylvester wrote:

rfc2534 defines the usage of a Signing Certificate Attribut where
actually only exactly one public key certificate + a list
of attribute certs can be indicated.

It happens sometimes that some signature policies require that
several signatures MUST be present before a document becomes
valid. Contrary to the real world it is rather simple to remove
one of multiple signatures on a CMS document, and this may
put the remaining signers into an undesirable situation.

It seems useful to extend have a mecanism for the signer indicating
that his signature is only valid if it is also signed by one
or more other signers.

Would it be useful to allow for multiple occurences of the attribute
to indicate that the overall signature is valid if there are multiple
signatures for all of the indicated attributes.
In addition, multiple attribute values could be used to indicate that
at least one of the indicated certs should match.

Unfortunately there is no "global" attribute set. Thus, the attributes will
occur in all signerinfos.

I would like to propose this as a modification to whatever will be
son of rfc2524.

Any comments are welcome.

Peter Sylvester

<Prev in Thread] Current Thread [Next in Thread>