[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Use of attribute certificates in SignedData

To: "Christopher S. Francis" <chris.francis@xxxxxxxxxxxxxxxx>
Subject: RE: Use of attribute certificates in SignedData
From: "Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>
Date: Wed, 29 Aug 2001 16:14:18 -0400
Cc: Ietf-Pkix <ietf-pkix@xxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Chris:

We heard from Blake that his application will have a problem. I hope that most will gracefully ignore certificates (of any type) that they do not need.

Russ

At 03:24 PM 8/29/2001 -0400, Christopher S. Francis wrote:

Thanks Russ.  That confirms my interpretation of 2630.  I'm concerned that
if I include an AC in SignedData in the "correct" field that commonly
available applications/toolkits will choke when they try to validate the
signature on the SignedData object.

I was hoping for a solution in which AC-enabled applications would use the
AC if one is provided, but commonly available "AC challenged"
applications/toolkits would just ignore it and rely only on the PKC for
signature validation.  Based on some of the responses I got from the SMIME
list, it sounds like I may not be able to achieve this; especially since I
would prefer to use the X.509 2000 AC syntax.

Chris
-----Original Message-----
From: Housley, Russ [mailto:rhousley@xxxxxxxxxxxxxxx]
Sent: Wednesday, August 29, 2001 10:24 AM
To: Christopher S. Francis
Cc: Ietf-Pkix
Subject: Re: Use of attribute certificates in SignedData

Chris:

SignedData has the following syntax:

       SignedData ::= SEQUENCE {
         version CMSVersion,
         digestAlgorithms DigestAlgorithmIdentifiers,
         encapContentInfo EncapsulatedContentInfo,
         certificates [0] IMPLICIT CertificateSet OPTIONAL,
         crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
         signerInfos SignerInfos }

CertificateSet ::= SET OF CertificateChoices

       CertificateChoices ::= CHOICE {
         certificate Certificate,                               -- See X.509
         extendedCertificate [0] IMPLICIT ExtendedCertificate,  -- Obsolete
         v1AttrCert [1] IMPLICIT AttributeCertificateV1,        -- Obsolete
         v2AttrCert [2] IMPLICIT AttributeCertificateV2 }       -- See X.509


PKCs and ACs needed to process any of the signerInfos should be carried in
the certificates field.

Russ

At 10:43 AM 8/28/2001 -0400, Christopher S. Francis wrote:

>I have a question for the group concerning attribute certificates.
>
>
>
>Is there an accepted location to put an attribute certificate associated
>with the signer in the SignedData data structure?  I have a SignedData
>object and I m considering putting an attribute certificate associated
>with the signer in the certificates field of SignedData in addition to the
>PKC of the signer.
>
>Is that a philosophically correct location?  Other options include burying
>the certificate in the encapsulated content or including it as a Signed or
>UnSigned attribute.
>
>
>
>I d appreciate any advice and or lessons learned that you can
>offer.  Thanks in advance.
>
>
>
>Chris Francis
>
>

References:
- Re: Use of attribute certificates in SignedData
  - From: Housley, Russ
- RE: Use of attribute certificates in SignedData
  - From: Christopher S. Francis

Prev by Date: revised meeting minutes
Next by Date: Re: charter revisions
Previous by thread: RE: Use of attribute certificates in SignedData
Next by thread: DTC-3 circulated for ballot
Index(es):
- Date
- Thread