[Top] [All Lists]

Re: Straw Poll: encoding of authenticated attributes in cms-auth-enveloped ID

2007-03-29 11:10:38
I don't care very much but tend to be conservative, thus A.

There is also a third option: A+B and changing the tag of the
authenticated attributes.

It is not only SignedData, AuthenticatedData also has the A encoding
as far as I understand, see below.

I am not sure but why the AuthAttributes are there before the content?
Although a messagedigest is not part of the AuthAttributes, this means
that whene an AuthAttributes for SignedData or AuthenticatedData
requires reading the data, this gets difficult to use. I am thinking
for example a timestamp as attribute.

Russ Housley wrote:
I'd like to add one point. Please look at section 9 of RFC 3852. The authenticated attributes in AuthenticatedData follow choice B).
Russ, are you sure?

 If authAttrs field is present, the content-type attribute (as
  described in Section 11.1) and the message-digest attribute (as
  described in section 11.2) MUST be included, and the input to the MAC
  calculation process is the DER encoding of authAttrs.  A separate
  encoding of the authAttrs field is performed for message digest
  calculation.  The IMPLICIT [2] tag in the authAttrs field is not used
  for the DER encoding, rather an EXPLICIT SET OF tag is used.  That
  is, the DER encoding of the SET OF tag, rather than of the IMPLICIT
  [2] tag, is to be included in the message digest calculation along
  with the length and content octets of the authAttrs value.


At 01:34 PM 3/27/2007, Turner, Sean P. wrote:

At IETF 68, Russ Housley presented an summary of the Authenticated-Enveloped-Data content type (the slides can be found at <> ). There was one open issue (the last slide) that dealt with the encoding of authenticated attributes. It was discussed at the meeting; however, responses from a wider audience (i.e., this list) is necessary. Please indicate your preference on whether:

A) The encoding of the authenticated attributes should be done exactly the same as in SignedData.

B) The encoding of the authenticated attributes should use the encoding that will be transmitted.

We are soliciting feed until 10 April 2007.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature