Hi Jim,
I understand the motivation, but the RSASSA-PSS-params specify the full
signature process, including the hash.
When using RSASSA-PSS in CMS, there are potentially three hashes (not
including the one on the mask generation function):
1. hash of eContent
2. hash of signedAttributes
3. hash within PSS padding
Hashes 2. and 3. are both part of the RSASSA-PSS signature process. In
RSASSA-PSS, hashes 2. and 3. MUST be the same. (This is part of the
definition of RSASSA-PSS, not a security requirement per se.)
This requirement does not present a problem for a timestamp authority. If
the timestamp authority is given only the hash of signedAttributes and the
hash algorithm (hash 2.), then the timestamp authority can just select the
same hash algorithm within the PSS padding (hash 3.).
-- Burt
-----Original Message-----
From: Jim Schaad [mailto:jimsch(_at_)nwlink(_dot_)com]
Sent: Thursday, December 11, 2003 3:55 AM
To: Kaliski, Burt; 'Blake Ramsdell'
Cc: ietf-smime(_at_)imc(_dot_)org
Subject: RE: WG LAST CALL: draft-ietf-smime-pss-02.txt
Bert,
I wrote this as should since I do not want to rule out the ability for a
time stamp authority to be able to sign a message when just the hash and
hash algorithm are provided.
The two hash functions are in many ways independent, the hash and hash
algorithm are really part of the data that is then hashed as part of the
signature process. This should refers to the body of the message,
producing a hash value that is part of the actual signature processing.
jim