I believe that the requirement in section 5.3 about DER encoding of
SignedAttributes is too restrictive. The current statement is "Each
SignedAttribute in the SET MUST be DER encoded." I believe that the
intended statement is really "Each AttributeValue in the
SignedAttributes SET MUST be DER encoded."
Here is my problem. Assume that I have an attribute FOO with 3 values.
If I do the encode of the entire SignerInfo object in one shot, then I
cannot cause the sort of the the attribute values without doing a DER
encoding of the SignerInfo object. It's easy to correctly DER encode an
attribute if the attribute values are correctly DER encoded, and this
deals with the potential problem of a third party having to decode and
re-encode the values.
Please make this change as it continues to statisfy the requirement
behind the added statement, but imposes the smallest requirement on the