[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
What do we sign
During interoperability testing I have hit a difference of opinions on what
data is signed. For a multipart-signed message I make sure I convert
the data message part into its canonicalised form before calculating
the signature. I then send the message and the recipient is responsible
for converting the data back into the canonicalised format prior to
verifying the signature. So far so good.
Now for a multipart-signed then enveloped message I still calculate the
signature on the canonicalised form of the message. One of my test partners
disagrees with this as the inner multipart-signed will not have been
mangled by any mail agent and therefore the signature should be done on the
actual inner contents.
Can we confirm on what the signature is based for the multipart-signed then