ietf
[Top] [All Lists]

Re: Last Call: draft-ietf-smime-cms-mult-sign (CryptographicMessageSyntax(CMS) Multiple Signer Clarification) to Proposed Standard

2007-02-15 07:56:53

1 - The document goes beyond specifying how to determine if a message
is validly signed by a given signer. The core of the dispute is the following proposed sentence:

|     When the collection represents more than one signature, the successful
|     validation of one of signature from each signer ought to be
|     treated as a successful validation of the signed-data content type.

This sentence implicitly states that the document as a whole is well signed when all the signers have signed it !!! It cannot stay like that.
The text may be misleading. but there is 'a successful', not just 'successful'. Maybe
one should clarify 'one of the successful' for that signer or so.

It should say: Whenever you detect several signatures from the same signer, then
it usually sufficient that only one being valid.

The intent was to say the message was validly signed by a given signer, if any of the digital signatures from that signer is valid.
I think there is consensus.


The key question is first : How can the CMS engine (*not* the application) determine which digital signatures are from the same signer.
I understand that this is out of scope of the document. I don't says that I agree.
The second point (and I have not mentionned this argument before) is that saying that "the message was validly signed by a given signer, if any of the digital signatures from that signer is valid" only works if the algorithms used are *all* considered as secure. A few words in the security considerations section (only 3 lines today) would certainly help to take care of that point.
Since a non secure algorithm would be rejected, the signature would not be validated. But
adding a comment in the security section can help.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf