On Fri, Jan 26, 2007 at 04:02:28AM -0800, Blake Ramsdell wrote:
Julien Stern wrote:
I am just faced with a simple practical problem, namely: what is an
implementation supposed to do when it receives a CMS message where
the hash function in the digestAlgorithm and the signedAlgorithm
are not the same? I mean, there must be quite a large number of CMS
implementations that were faced with the same problem!
Now, a "tough guy" implementation might take the precaution that every
other implementation is crazy, and digest with every algorithm that they
understand. In my case, I always digest with MD5 and SHA-1. So I
personally don't listen to the digestAlgorithms field in SignedData or
the digestAlgorithm field in SignerInfo. When I get to the signature
verification, I say "OK, so which digest do I need" and use the right
one (or freak out if it's not one of those). So I never have the
heartache of betrayal from these fields, at the acceptable (in my case)
cost of performance.
Thank you for your input.
I like your interpretation (considering the digest as a pure hint) too.
- What should be the behavior of a verification algorithm which is
faced with such a situation?
Not sure if it's specified anywhere, but that's up to the implementation
I would say.
OK. I guess I have my answer :) So, I'll go for either "reject"
or "use only digests as a hint".