Russ,
Before this approach was adopted, we asked several
implementors if their toolkits would handle this sort of nesting.
Not a single implementor expressed concern at that time.
Do you have new information for us?
No - my point was generic rather than specific - and seeking to
understand the background to the change. It appears to be to
save redundant encoding/bytes.
I have not reviewed all the toolkits so can't comment on their
support. (FYI: the toolkit we are using is the SFL which does
allow us to pass in signed-data and enveloped-data, and does
not require a Content-Info wrapper.)
As a user of the toolkit, rather than I provider, I need to be
able to handle the nesting, rather than expecting the toolkit
to do it for me.
For example, after validating the outer signature and retrieving the
ESS label, I want to check that the user is cleared for that label
before going on to decrypt the next level.
Graeme