How about something like the following to avoid multiple instances of an alg
ID:
> AlgorithmValidityInfo ::= SEQUENCE {
> identifier AlgorithmIdentifier,
> constraints SEQUENCE OF Constraint
}
Constraint::= SEQUENCE {
parameter CHOICE {
> exact [0] OCTET STRING,
> min [1] OCTET STRING,
> max [2] OCTET STRING,
> range [3] Range,
> other [4] OtherConstraints}
> validity Validity OPTIONAL,
> information Information OPTIONAL }
> -----Original Message-----
> From: owner-ietf-ltans@xxxxxxxxxxxx
> [mailto:owner-ietf-ltans@xxxxxxxxxxxx] On Behalf Of Thomas Kunz
> Sent: Wednesday, December 05, 2007 11:02 AM
> To: Turner, Sean P.
> Cc: ietf-ltans@xxxxxxx
> Subject: Re: comment on draft-ietf-ltans-dssc-01.txt
>
> The problem with your suggested syntax is the definition of
> the our constraints. If we used the RFC3280
> AlgorithmIdentifier structure, we would integrate the
> constraints as follows:
>
> AlgorithmValidityInfo ::= SEQUENCE {
> identifier AlgorithmIdentifier,
> constraint CHOICE {
> exact [0] OCTET STRING,
> min [1] OCTET STRING,
> max [2] OCTET STRING,
> range [3] Range,
> other [4] OtherConstraints
> validity Validity OPTIONAL,
> information Information OPTIONAL }
>
> It's not possible to determine constraints for more than one
> parameter (e.g. p > 1024 and q > 160 in case of DSA).
> Additionally defining ranges is impossible (e.g. modulus <
> 2048 and modulus > 1024).
>
>
> so & tk
>
>
> Turner, Sean P. schrieb:
> > I'm only commenting on the Parameter structure in the
> ASN.1. I think
> > that it might be better to change Algorithm to be a sequence of
> > algorithmIdentifier, validity, and information - call it
> > AlgorithmValidityInfo. I suggest this for two reasons:
> >
> > 1. The AlgorithmIdentifier structure that is used to assign an
> > algorithm's object identifier also define the parameters. So it
> > probably makes sense to reuse this structure.
> >
> > 2. The parameters structures for some of the newer
> algorithms is quite
> > complicated. For example, RSASSA-PSS [RFC4055] and ECC
> Algs [RFC3279]
> > aren't just an OID they are nested structure.
> >
> > (not sure how to do it in XML)
> >
> > Replace:
> >
> > Algorithm ::= SEQUENCE {
> > algorithmIdentifier AlgID,
> > parameters [0] SEQUENCE OF Parameter OPTIONAL,
> > validity [1] Validity,
> > information [2] SEQUENCE OF UTF8String OPTIONAL
> > }
> >
> > AlgID ::= SEQUENCE {
> > name UTF8String,
> > oid [0] SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
> > uri [1] SEQUENCE OF IA5String OPTIONAL
> > }
> >
> > Parameter ::= SEQUENCE {
> > name UTF8String,
> > constraint CHOICE {
> > exact [0] OCTET STRING,
> > min [1] OCTET STRING,
> > max [2] OCTET STRING,
> > range [3] Range,
> > other [4] OtherConstraints
> > }
> > }
> >
> > With:
> >
> > AlgorithmValidityInfo ::= SEQUENCE {
> > identifier AlgorithmIdentifier,
> > validity Validity OPTIONAL,
> > information Information OPTIONAL }
> >
> > Validity ::= SEQUENCE {
> > start [0] GeneralizedTime OPTIONAL,
> > end [1] GeneralizedTime OPTIONAL }
> >
> > Information ::= SEQUENCE SIZE (1..MAX) OF UTF8String
> >
> > -- From RFC3280
> > AlgorithmIdentifier ::= SEQUENCE {
> > algorithm OBJECT IDENTIFIER,
> > parameters ANY DEFINED BY algorithm OPTIONAL }
> > -- contains a value of the type
> > -- registered for use with the
> > -- algorithm object identifier value
> >
> > spt
> >
> >
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature