Hello,
As I understand CMS rfc2630 and ESS rfc2634, it is possible to create a
SignedData with multiple signers (one signedData with multiple signerInfos).
Say one of these signers has included a ReceiptRequest in his
signedAttributes. How would another (subsequent) signer also add a
ReceiptRequest or modify the existing one? It looks like there is no
provision for this. The first signer to request a receipt pre-empts any
other signer who may wish a different receipt request. The receipt request
itself cannot be modified because it is a signed attribute. Can subsequent
signers pretend to be an MLAgent and add a mlReceiptPolicy?
Also, I find myself confused by statements in sections 2.2.1 and 2.3 from
the ESS rfc. These are highlighted by asterisks below
ESS 2.1 Signed Receipt Concepts
The originator of a message may request a signed receipt from the
message's recipients.
ESS 2.2 Receipt Request Creation
<snip>
Only one receiptRequest attribute can be included in the
signedAttributes of a SignerInfo.
ESS 2.2.1 Multiple Receipt Requests
There can be multiple SignerInfos within a SignedData object, and
each SignerInfo may include signedAttributes. Therefore, a single
SignedData object may include multiple SignerInfos, each SignerInfo
having a receiptRequest attribute. For example, an originator can
send a signed message with two SignerInfos, one containing a DSS
signature, the other containing an RSA signature.
Each recipient SHOULD return only one signed receipt.
/***Not all of the SignerInfos need to include receipt requests, but in
all of the SignerInfos that do contain receipt requests, the receipt
requests MUST be identical.***/
But
ESS 2.3 Receipt Request Processing
A receiptRequest is associated only with the SignerInfo object to
which the receipt request attribute is directly attached. Receiving
software SHOULD examine the signedAttributes field of each of the
SignerInfos for which it verifies a signature in the innermost
signedData object to determine if a receipt is requested. /***This may
result in the receiving agent processing multiple receiptRequest
attributes included in a single SignedData object, such as requests
made from different people who signed the object in parallel.***/
The "different people" are not making different requests? They're just
copying the first person's receipt request?
Thanks for your help,
- Lnr
____________________________________________
Lnr Foley
Baltimore Technologies
Web: <http://www.baltimore.com/> http://www.baltimore.com
_____________________________________________