In a recent message from John Pawling, he made the following observation:
3) Sec 3.2 specifies that the md5WithRSAEncryption or sha1WithRSAEncryption
OID should be used in the signerInfo signatureAlgorithm field instead of the
id-rsaEncryption OID. I agree with this strategy, but please note that this
is a change from what is specified in RFC 2630. RFC2630 specifies the use
of id-rsaEncryption in the signerInfo signatureAlgorithm field. Is this
change going to cause backwards compatibility problems with legacy CMS
implementations?
I believe that the text in RFC 2630 was some what incomplete. Notice that
the corresponding section in cmsalg-02 and cmsalg-03 is significantly longer.
The approach documented in cmsalg-03 is aligned with the way that
certificates are handles in PKIX. That is, public keys are identified with
the rsaEncryption OID, and signature values are identified with either the
sha1WithRSAEncryption OID or the md5WithRSAEncryption OID.
Is cmsalg-03 documenting the best approach? WG Last Call on this document
is scheduled to end today. Since this issue has been raised on the last
day, I will not close WG Last Call until this thread reaches consensus.
Russ