Paul Hoffman a écrit :
At 9:31 AM +0100 3/19/09, Julien Stern wrote:
Isn't it dangerous to ignore a _signed_ attribute ?
No. The fact that the signer wanted the data to be protected in transport doesn't mean
that it is inherently important to the recipient. The decision to sign an attribute is
usually made by the software developer (and could come down to "well, why
not?"), not the sender.
Paul,
The problem is that for some specific attributes (such as some in RFC
2634, RFC 5035 or CAdES) begin capable of processing the attribute or
not will influence the actual result of signature validation.
Also, when you are writing the these attributes are ignored, do you mean that
they MUST be ignored or that they MAY be ignored? E.g. if my implementation
fails upon receiving a signature with an unknown signed attribute, would you
consider this non-standard? Or is this behavior up to the implementor?
The latter. Remember, we can't say what it really means to "understand" an
attribute.
OK. Thanks. One (hopefully) last question:
if in CAdES (which extends CMS as you surely know), we mandated
signature validation to stop if a signed attribute is not supported by
the verifying implementation, would you consider this inconsistent with
CMS or not?
Best regards,
--
Julien