Re: Use of attribute certificates in SignedData

["Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>]

Chris:

SignedData has the following syntax:

      SignedData ::= SEQUENCE {
        version CMSVersion,
        digestAlgorithms DigestAlgorithmIdentifiers,
        encapContentInfo EncapsulatedContentInfo,
        certificates [0] IMPLICIT CertificateSet OPTIONAL,
        crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
        signerInfos SignerInfos }

      CertificateSet ::= SET OF CertificateChoices

      CertificateChoices ::= CHOICE {
        certificate Certificate,                               -- See X.509
        extendedCertificate [0] IMPLICIT ExtendedCertificate,  -- Obsolete
        v1AttrCert [1] IMPLICIT AttributeCertificateV1,        -- Obsolete
        v2AttrCert [2] IMPLICIT AttributeCertificateV2 }       -- See X.509


PKCs and ACs needed to process any of the signerInfos should be carried in 
the certificates field.

Russ

At 10:43 AM 8/28/2001 -0400, Christopher S. Francis wrote:

> I have a question for the group concerning attribute certificates.
>
>
>
> Is there an accepted location to put an attribute certificate associated 
> with the signer in the SignedData data structure?  I have a SignedData 
> object and I m considering putting an attribute certificate associated 
> with the signer in the certificates field of SignedData in addition to the 
> PKC of the signer.
>
> Is that a philosophically correct location?  Other options include burying 
> the certificate in the encapsulated content or including it as a Signed or 
> UnSigned attribute.
>
>
>
> I d appreciate any advice and or lessons learned that you can 
> offer.  Thanks in advance.
>
>
>
> Chris Francis