Steve:
I'll duck the second issue and let others deal with it. As to the first
issue you raise (cited above), I'm not sure I understand the difficulty.
Isn't this capability inherent in MIME. To be specific, MIME messages may
contain any number of parts, all gathered together as one body of type
multiplart/mixed. To send a message that contains some protected material
and also contains a certificate chain, all that's necessary is to create
the protected material as a MIME object, created the certificate chain as a
separate MIME object, and then combine the two into a single MIME object.
Yes, that's right. I am not asking for any change to the technical
specifications - just a brief decription of how a certificate (or chain) can be
carried along with a signed message, in order to remove an apparent
functionality disparity with RFC 1421. One way to achieve this would be to
include an example in section 6, although a sentence or two of explanation
could
equally satisfy.
The reason this is important is that digital signature implementations can be
simplified/optimized if it can be assumed that the signer's certificate (and,
possibly, other certificates in the chain) always/frequently accompany the
signature. Of course, there is a downside here in terms of potentially
excessive communications overhead, so we do not want to mandate this for
everyone. The approach taken in all other protocols I know (e.g., RFC 1421,
X.400, SPKM) is to build-in optional provision for conveying certificate(s)
with
the signature, recognizing that different applications/communities/environments
might agree conditions under which the certificate(s) is included. I believe
MOSS should do the same, i.e., there should be a stated way of conveying
certificate(s) with a signature if someone wants to do that.
Your words just about do it. However, I feel the description should
suggest/recommend (?) having the object conveying the certificate(s) precede
the
signed object in the message, to enable the signature to be processed without
lookahead in the message.
In summary, I am not asking for a change to the technical specification - just
a
description/example of a mode of use of MOSS, showing how MOSS can support this
certificates-accompanying-signature function. You are right - it is not
difficult, and I cannot imagine why anyone would object. Look at it as a plank
reinforcing the argument that MOSS can do (at least) everything that RFC 1421
does.
Warwick