On the second item, I disagree. The authenticated attributes are
handled the same as in AuthenticatedData. While I understand that the
use of a SEQUENCE instead of a SET would be easier to process, but
that would mean that an implementation could not take advantage of
existing attribute handling routines.
in your proposal, the attributes are placed before the data. Why?
As far as I understand, there is no difference between handling of
authenticated attributed between
signedData and authenticatedData, so why introducing any new mode here?
Your argument about SEQUENCE vs SET sounds wrong to me: If you have an
implicit tagging that
replaces sequence or set, then coding or decoding becomes essentially
the same except that you
won't need to sort the attributes before coding, but it wouldn't hurt if
you do. On the other
hand, if you really verify the order when decoding, then sequence hurts,
but there are several
implementations which ignore the encoded order as far as I know and
others which fail to
sort etc.
Russ
smime.p7s
Description: S/MIME Cryptographic Signature