I have two major problems.
A first series, related whether the document deals with multiple signatures
from the same signer or several signatures from different signers.
I believe that the document tries to address the former goal, but since
this is not clearly stated, readers might be confused.
This appears first in the abstract:
This document clarifies the proper handling of the SignedData protected
content type when more than one digital signature is present.
which should be changed into:
This document clarifies the proper handling of the SignedData protected
content type when more than one digital signature from the same signer is
present.
If that change is agreed in general, then the following sentence
that appears on page 1, section 1 is incorrect:
"This document
provides replacement text for a few paragraphs, making it clear that
the protected content is valid if any of the digital signatures is
valid".
Other changes would need to be made through all the document.
A second series related to how to pick the right public key:
Issue 1: Section 3, page 3.
| The signer's public key is referenced either by an issuer
| distinguished name along with an issuer-specific serial number or by
| a subject key identifier that uniquely identifies the certificate
| containing the public key.
An issuer distinguished name along with an issuer-specific serial number
is not necessarilly sufficient to identify the right signer's public key
(see ESSCertId).
Issue 2: Section 3, page 3.
| The signer's certificate can be included
| in the SignedData certificates field.
Yes, it can, but it is unprotected, so no guarantee that it is the right one.
The text should be clearer about the various ways to pick the right public key.
Denis
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the S/MIME Mail Security Working Group of the
IETF.
Title : Cryptographic Message Syntax (CMS) Multiple Signer
Clarification
Author(s) : R. Housley
Filename : draft-ietf-smime-cms-mult-sign-00.txt
Pages : 5
Date : 2006-4-21
This document updates the Cryptographic Message Syntax (CMS), which
is published in RFC 3852. This document clarifies the proper
handling of the SignedData protected content type when more than one
digital signature is present.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-smime-cms-mult-sign-00.txt
To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request(_at_)ietf(_dot_)org with the word unsubscribe in the body
of the message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.
Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
"get draft-ietf-smime-cms-mult-sign-00.txt".
A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
Internet-Drafts can also be obtained by e-mail.
Send a message to:
mailserv(_at_)ietf(_dot_)org(_dot_)
In the body type:
"FILE /internet-drafts/draft-ietf-smime-cms-mult-sign-00.txt".
NOTE: The mail server at ietf.org can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e. documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
Content-Type: text/plain
Content-ID: <2006-4-21151730(_dot_)I-D(_at_)ietf(_dot_)org>
ENCODING mime
FILE /internet-drafts/draft-ietf-smime-cms-mult-sign-00.txt
Regards,
Denis Pinkas