ietf-smime
[Top] [All Lists]

RE: Use of attribute certificates in SignedData

2001-08-29 08:28:11
Chris,
 
I can't answer all of your questions, but here is some information that may
help.
 
The S/MIME Freeware Library (SFL) (available from <
http://www.getronicsgov.com/hot/sfl_lib.htm
<http://www.getronicsgov.com/hot/sfl_lib.htm> >) implements RFC 2630
including the 1997 X.509 Attribute Certificate (AC) syntax.  The SFL
supports the ASN.1 encoding and decoding of 1997 ACs in signedData and
envelopedData content types.  The SFL does not attempt to verify ACs.  While
using the SFL to construct a signedData or envelopedData content type, the
application can provide the SFL with an ASN.1-encoded 1997 AC to be included
in the signedData or envelopedData.  While using the SFL to process a
signedData or envelopedData content type, if a 1997 AC is present, then the
SFL provides the ASN.1-encoded 1997 AC to the application for further
verification and processing.  If a 2000 AC is included in a signedData or
envelopedData content type provided to the SFL for processing, then the SFL
will return an ASN.1 decode error because the 2000 X.509 AC syntax is not a
part of RFC2630.  
 
The 2000 X.509 AC syntax is a part of the "son-of-rfc2630" Internet-Draft
<draft-ietf-smime-rfc2630bis-02.txt>.  Once rfc2630bis is stable and
approved, then Getronics will enhance the SFL to implement the rfc2630bis
specification including supporting the ASN.1 encoding and decoding of 2000
X.509 ACs.  At this time, I would recommend against including 2000 ACs in
signedData and envelopedData content types for the following reasons: 2000
X.509 AC syntax is not a part of RFC2630; and rfc2630bis specification is
not yet stable and has not been widely implemented.
 
To my knowledge, no interoperability testing has been performed of
signedData or envelopedData content types including ACs.  There are no ACs
included in the Examples of S/MIME Messages Internet-Draft.  Also, there are
no ACs included in the test messages documented in Jim Schaad's
interoperability matrix for RFCs 2630 through 2634 (available from
<http://www.imc.org/ietf-smime/interop-matrix.html>
<http://www.imc.org/ietf-smime/interop-matrix.html>).  
 
The current release of the Access Control Library (ACL) (available from <
http://www.getronicsgov.com/hot/acl_home.htm
<http://www.getronicsgov.com/hot/acl_home.htm> >) can be used to verify 1997
X.509 ACs.  We are in the process of enhancing the ACL to support the
verification of both 1997 and 2000 X.509 ACs.
=========================================== 
John Pawling, John(_dot_)Pawling(_at_)GetronicsGov(_dot_)com 
Getronics Government Solutions, LLC 
=========================================== 
<Prev in Thread] Current Thread [Next in Thread>