Jim,
Comments in line.
Jim Schaad wrote:
A couple of additional questions for consideration.
1. Consider the message S1(S2(S3(M))) where S2 has an
MLExpansionHistory attribute and S1 has a ESSSecurityLabel attribute.
Under the current processing rules the security label would not be on
the output message of an MLA. Attributes on S2 are preserved, but not
those on S1. Does this need to be changed?
I went back and forth on this one. I can see why you want to keep a
label, but I think you ought to only retain it if you actually track who
applied it. But, that's going to get really complicated so I'd say that
you should not preserve the label in s1.
2. Are there any other attributes for which this needs to be changed as
well?
Not sure off the top of my head.
3. If you have the message S1(S2(E1(S3(M)))), if S1 or S2 contains an
ESSSecurityLabel attribute it would be preserved only if there was an
MLExpansionHistory attribute in the same signature layer.
Yes I think that's right.
4. Are there any other attributes that need to be preserved here as
well.
5. There is a rule that states all attributes need to be kept unless
replaced. This needs to be modified to exclude the
id-aa-SigningCertificate attribute. If this element is not replaced but
copied then the signature of the MLA SHOULD fail validation. Can
anybody else think of attributes for which this is also true.
Jim