My comment was related to the syntax.
Another option would be not to use a fixed default but rather make the
hashAlgoritm OPTIONAL and say that it is the same as used in
to create the signature around (or SHA1 if the hash length is less than
224 bits)
If one still use the same attribute: the implementations that understand
sha256- in a signature and use ESSCertID would be hit.
But as P.G. said, if one uses another attribute...
Peter Gutmann wrote:
Peter Sylvester <Peter(_dot_)Sylvester(_at_)edelweb(_dot_)fr> writes:
ESSCertIDv2 ::= SEQUENCE {
certHash Hash,
issuerSerial IssuerSerial OPTIONAL,
hashAlgorithm [0] AlgorithmIdentifier DEFAULT { { algorithm sha-1,
parameters NULL} }
It'd be easier to just go with Russ' suggestion of:
ESSCertIDv2 ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier DEFAULT { { algorithm sha-1,
parameters NULL} }
certHash Hash,
issuerSerial IssuerSerial OPTIONAL
}
See my earlier message on why this won't present any backwards-compatibility
problems with the original ESSCertID.
Peter.
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le certificat de l'autorité;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
smime.p7s
Description: S/MIME Cryptographic Signature