[Top] [All Lists]

RE: replacement for signedAndEnvelopedData for CMS with external encrypted data

2005-08-29 17:45:57


I can think of atleast one way of dealing with this that meets your problem
in the current CMS method.  That would be to emit the encrypted body into
the data file and then have a EncryptedData object followed by a SignedData
object in the header information file.  While this would not be strictly a
CMS object in the second file the code could easily understand that the two
items would follow in sequence.  


-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Alicia 
Sent: Monday, August 29, 2005 7:25 AM
To: ietf-smime(_at_)vpnc(_dot_)org
Subject: replacement for signedAndEnvelopedData for CMS with 
external encrypted data


SignedAndEnvelopedData has been deprecated for CMS.  Instead 
CMS SignedData structures with embedded data are encrypted 
and placed inside the optional EncryptedContent of a CMS 
EnvelopedData structure.

But one can have a CMS SignedData digital signature that is 
detached in a separate file from the original data.  And one 
can have a CMS EnvelopedData structrure with decryption 
details in a separate file from the encrypted data since the 
EncryptedContent is optional.

But without CMS support for SignedAndEnvelopedData, how does 
one impliment a detached file that is CMS compliant, 
containing a digital signature and decryption details, for a 
separate file or stream of encrypted data?  Detachment is 
critical if one is dealing with large (> 1GB) file or data streams.

There are many real world cases where you want to both sign 
and encrypt a message, and don't care if others can see who signed it.
Especially when one has a centralized trusted organiation, 
like a CA, software company, or service provider.  These 
trusted organiations can digital signed and distribute 
CUSTOMIZED secure data that is encrypted with the customers 
public keys.  This is useful for provisioning, VoIP, video on 
demand, etc.

If anyone has any reasonable work around for 
SignedAndEnvelopedData that works with detached encrypted 
data and still meets the CMS standards, please let me know.  
Otherwise it may be useful to look at ammending the CMS 
specification to include SignedAndEnvelopedData.

Thank you in advance.

<Prev in Thread] Current Thread [Next in Thread>