�-----Original Message-----
From: Paul V Ford-Hutchinson [mailto:paulfordh@xxxxxxxxxx]
Sent: Thursday, June 05, 2003 9:02 AM
To: Rishel,Wes
Cc: ietf-ediint@xxxxxxxxxxxxxxxx
Subject: RE: AS2-SMIME : has the certificate to be included inside thesignatu re?
No , that's one of the main points of X.509 certificates.
[Unless you are discussing self-signed certificates (the X.509 equivalent of "trust me, because I say so - signed me")]
so .....
Is there a published way for an AS-2 implementation to map the "AS2-From" field to an X.509 DN ?Not in IETF spec. Maybe someone has profiled AS2 for some community/vertical but I have not heard of one.
Or does AS2 assume that there is always some OOB mechanism for establishing identity (AS2-To/From) to certificate mappings ?SMIME/CMS/PKCS7 has in its SignerInfo structure fields that allow determination of the relevant signature used in producing the signature.So the value for the AS2-From field is not involved in finding the certificate. Actually, the AS2-From value should not be considered a highly trusted piece of information-- no signature over it. Generally spoofing would be a lot harder if you use SSL though.
If the former - who needs to bloat messages with certificates?AS2 follows the CMS/PKCS7 approach on identifying the certificate used in signing. So you are right, cert chain can be omitted.
If the latter - why ?Not applicable. If there were a mapping, then people might wonder what to do if the AS2-from value did not match up with the X.509 DN.Should we discard the whole thing?We avoid this. What we have now is that the signed info is what counts only. So trust that the payload is OK if you accept the signature as one that checks out with respect to a certificate that chains up to one of your trust anchors (which will be itself if using self-signed certs.)Dale
Paul
--
Paul Ford-Hutchinson : eCommerce application security : paulfordh@xxxxxxxxxx
MPT-6, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5JL +44 (0)1926 462005
http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html
"Rishel,Wes" <Wes.Rishel@xxxxxxxxxxx>
Sent by: owner-ietf-ediint@xxxxxxxxxxxx05/06/2003 15:23
To: "Jess Sightler" <jsightler@xxxxxxxxxxxxxxxxxxxx>, <lstoeckle@xxxxxxxxxxxxxxxx>
cc: <ietf-ediint@xxxxxxxxxxxxxxxx>
Subject: RE: AS2-SMIME : has the certificate to be included inside thesignatu re?
What is the benefit of sending the cert with the message? If you truly want to authenticate the originator you have to acquire the cert by independent, trusted means, don't you?
-----Original Message-----
From: owner-ietf-ediint@xxxxxxxxxxxx
[mailto:owner-ietf-ediint@xxxxxxxxxxxx]On Behalf Of Jess Sightler
Sent: Thursday, June 05, 2003 6:36 AM
To: lstoeckle@xxxxxxxxxxxxxxxx
Cc: ietf-ediint@xxxxxxxxxxxxxxxx
Subject: Re: AS2-SMIME : has the certificate to be included inside
thesignatu re?
I can't speak 100% from the spec on this, but I know that iSoft makes
sending the Certificate with a signature optional.
Based on that, I believe that it is an option to not send the cert. I
believe that sending the Cert would be a good practice, however.
Thanks,
Jess
On Thu, 2003-06-05 at 09:58, lstoeckle@xxxxxxxxxxxxxxxx wrote:
> Hello,
>
>
>
> I am new on this list - and I need your help.
>
>
>
> AS2: when sending a signed message (the original message which can
> also be signed, or a signed MDN), has the signer's certificate to be
> included inside of the signature MIME part?
>
> Is it mandatory or should AS2 compliant products accept both? (signed
> messages containing the cert, or not containing it, in which case they
> would try to find a certificate on the local key store etc.)
>
>
>
> Regards,
>
> -----------------------------------------
> Ludan STOECKLE
> DSI Groupe Casino - Etudes
>
> 04 77 45 48 01
>
> lstoeckle@xxxxxxxxxxxxxxxx
> -----------------------------------------
>
>
>
>
>
>
--
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================