[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LAST CALL:draft-ietf-pkix-time-stamp-05.txt

To: Denis.Pinkas@xxxxxxxx, roland@xxxxxxxxx
Subject: Re: LAST CALL:draft-ietf-pkix-time-stamp-05.txt
From: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>
Date: Mon, 21 Feb 2000 13:36:37 +0100 (MET)
Cc: ietf-pkix@xxxxxxx

> 
> The IETF draft defines the TimeStampToken datatype as a CMS SignedData
> construct, where the TSTInfo structure is wrapped inside the CMS
> structure.  CMS SignedData constructs can be used in two different
> ways, however; as an encapsulation and as an external signature.  The
> encapsulation mode means the data upon which the signature is computed
> is wrapped inside the CMS structure, whereas the external signature
> mode leaves the data external to the CMS structure.  Both modes provide
> equivalent security, both are directly supported and specified within
> the CMS specification [RFC 2630, page 9].
> 
> The ISO proposal is to simply use the CMS construct as an external
> signature rather than as an encapsulation.  The ISO proposal thus
> defines the 'TimeStampToken' data type as follows:
> 
> TimeStampToken ::= SEQUENCE {
>         tspData         TSTInfo,
>         tspSignature    OCTET STRING }
> 
> The CMS SignedData construct used as an external signature is
> DER-encoded in the tspSignature field.  In effect both proposals
> accomplish the same thing; the TSTInfo structure is signed, and the
> signature information is encapsulated in a CMS SignedData construct.

The inconvenience is to have 'yet another structure': I do not see a
real advantage to replace the CMS SignedData with the structure above.
have a CMS document at the top level has several advantadges; you
might use encryption around it you still have a 'document'.

It might be worth to look at the structure for the Digested-Data
content-Type.  

   The following object identifier identifies the digested-data content
   type:

      id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
          us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 }

   The digested-data content type shall have ASN.1 type DigestedData:

      DigestedData ::= SEQUENCE {
        version CMSVersion,
        digestAlgorithm DigestAlgorithmIdentifier,
        encapContentInfo EncapsulatedContentInfo,
        digest Digest }

      Digest ::= OCTET STRING

and use this in the case when you 'Digest' corresponds to
something defined by a mecanism. 

Have fun.
Peter Sylvester

Prev by Date: AC profile
Next by Date: Re: Straw Poll: SerialNumber definition
Previous by thread: Re: LAST CALL:draft-ietf-pkix-time-stamp-05.txt
Next by thread: IETF and ISO alignment on Time Stamping
Index(es):
- Date
- Thread