Malek,
I have presented some slides on that topic at the IETF meeting in Salt Lake
City in December 2001. The presentation is called "Signature delegation".
The main idea is to use an Attribute Certificate. Since Attribute
Certificates may incorporated in a CMS structure (see RFC 3126),
then no addition to the signature format is necessary.
In such a case, there would be two documents to produce:
1) a profile for an Attribute Certificate usable for delegation,
(a PKIW work item),
2) a document saying how such an Attribute Cetificate is verified when
present in the CMS structure defined in RFC 3126, (an S-MIME work item).
Hence why I am posting this document to the S-MIME working group too.
Denis
> I am trying to investigate the possibility to implement a delegated
electronic signature. I mean implement the fact that a signer has the
necessary attributes to sign on behalf of some-one else.
>
> My understanding is that we should address this question from 2 angles:
> 1. The signer should express in his signed message the fact that he is
signing on behalf of some-one else (fopr the sake of
> simplicity, let's say the superior).
> 2. The signer should have the necessary privleges to sign on behalf of
the superior
>
> If we take into consideration CMS signatures, a possible implementation
of the above two points can be summarized as follows:
>
> - Defining an additional attribute: "Detegated Signature". The fields of
this attributes may be a reference to the document where the
> privilege of signing on behalf someone else are expressed. It may
simply be teh hash of the superior signing certificate.
> - Adding this additional attribute as a signed attribute in the SigneInfo
of the signed data within the CMS signature.
> - Having a reference to the signature policy added a signed attribute.
Within the sigature policy, we should exress the fact that when a "delegated
signature" signature is added as a signed attribute, this mens that the
signatory is signing on behalf a "superior".
> - The document highlighting the privileges can be expressed within an
X509 Attribute certificate. This means that the SUPERIOR will have its own
ATTRIBUTE AUTHORITY. And the privilege withine the X509 attribute
certificate can be expressed as follows:
> Privilege type: OID describing the privilege of signature delegation
> Superior reference: Signing certificate of teh superior.
>
> This solution doesn't seem to be simple to express but provided that the
necessary ASN.1 structures exist, it is intuitive to implement.
>
> I have in mind several solutions but can you please tell me if signature
delegation has already been specified within some standard or RCF (up to my
knowledge, no such functionality has already been expressed in ETSI or PKIX
standards). And if it doen't exist, what do you think about the solution i
summarized above.
>
> regards,
>
> ___________________________________________________________
> Malek Bechlaghem
> e-Security Product Development Manager
> Strategy, Business Development and Product Management (SBP)
> Internet Business Unit (IBU)
> Belgacom SA/NV
> Bd du Roi Albert II, 27, B-1030 Brussels
>
> Tel.: +32 2 202 79 02
> Fax: +32 2 202 41 06
> E-mail: malek(_dot_)bechlaghem(_at_)belgacom(_dot_)be
>
> We bring security to the e-world : www.e-trust.be
>
>
>
>
> **** DISCLAIMER ****
> "This e-mail and any attachments thereto may contain information
> which is confidential and/or protected by intellectual property
> rights and are intended for the sole use of the recipient(s) named above.
> Any use of the information contained herein (including, but not limited to,
> total or partial reproduction, communication or distribution in any form)
> by persons other than the designated recipient(s) is prohibited.
> If you have received this e-mail in error, please notify the sender either
> by telephone or by e-mail and delete the material from any computer.
> Thank you for your cooperation."