AlgorithmIdentifier, SHA-1, etc.2007-04-06 11:59:54I'm trying to get a handle on how one ought to encode AlgorithmIdentifier. As people will perhaps remember, the ASN.1 is: AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } -- contains a value of the type -- registered for use with the -- algorithm object identifier value Present hash functions do not take any useful parameters, leaving us with two encoding options: - omit the parameter. - include a NULL To make things more complicated, there are (at least) two different contexts in which this production appears: - The S/MIME DigestAlgorithmIdentifier production. - Inside the DigestInfo of the S/MIME signature. RFC 3370's guidance is to omit the parameter for SHA-1 and include a NULL for MD5 (see S 2.1 and 2.2.). However, the current PKCS#1 errata (ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1errata.txt) recommend that when one is encoding DigestInfo, one should encode it as NULL: Exception: When formatting the DigestInfoValue in EMSA-PKCS1-V1.5 (see 9.2), the parameters field associated with id-sha1, id-sha256, id-sha384 and id-sha512 SHALL have a value of type NULL. This is to maintain compatibility with existing implementations and with the numeric information values already published for EMSA-PKCS1-V1.5 which are also reflected in IEEE 1363a-2004[27]. My understanding from discussions in Prague is that this reflects NIST's current guidance as well. Technically these don't conflict, but obviously, it's undesirable to have the encoding in the message not match that in the DigestInfo, since doing binary comparisons is common practice here. So, what's the right answer here? -Ekr
|
|