[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

delegation attribute within a signed message

To: ietf-pkix@xxxxxxx
Subject: delegation attribute within a signed message
From: malek.bechlaghem@xxxxxxxxxxx
Date: Fri, 25 Oct 2002 15:31:05 +0200
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

I am trying to investigate the possibility to implement a delegated electronic signature. I mean implement the fact that a signer has the necessary attributes to sign on behalf of some-one else.

My understanding is that we should address this question from 2 angles:
1. The signer should express in his signed message the fact that he is signing on behalf of some-one else (fopr the sake of
simplicity, let's say the superior).
2. The signer should have the necessary privleges to sign on behalf of the superior

If we take into consideration CMS signatures, a possible implementation of the above two points can be summarized as follows:

- Defining an additional attribute: "Detegated Signature". The fields of this attributes may be a reference to the document where the
privilege of signing on behalf someone else are expressed. It may simply be teh hash of the superior signing certificate.
- Adding this additional attribute as a signed attribute in the SigneInfo of the signed data within the CMS signature.
- Having a reference to the signature policy added a signed attribute. Within the sigature policy, we should exress the fact that when a "delegated signature" signature is added as a signed attribute, this mens that the signatory is signing on behalf a "superior".
- The document highlighting the privileges can be expressed within an X509 Attribute certificate. This means that the SUPERIOR will have its own ATTRIBUTE AUTHORITY. And the privilege withine the X509 attribute certificate can be expressed as follows:
Privilege type: OID describing the privilege of signature delegation
Superior reference: Signing certificate of teh superior.

This solution doesn't seem to be simple to express but provided that the necessary ASN.1 structures exist, it is intuitive to implement.

I have in mind several solutions but can you please tell me if signature delegation has already been specified within some standard or RCF (up to my knowledge, no such functionality has already been expressed in ETSI or PKIX standards). And if it doen't exist, what do you think about the solution i summarized above.

regards,

___________________________________________________________
Malek Bechlaghem
e-Security Product Development Manager
Strategy, Business Development and Product Management (SBP)
Internet Business Unit (IBU)
Belgacom SA/NV
Bd du Roi Albert II, 27, B-1030 Brussels

Tel.: +32 2 202 79 02
Fax: +32 2 202 41 06
E-mail: malek.bechlaghem@xxxxxxxxxxx

We bring security to the e-world : www.e-trust.be

**** DISCLAIMER ****
"This e-mail and any attachments thereto may contain information
which is confidential and/or protected by intellectual property
rights and are intended for the sole use of the recipient(s) named above.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form)
by persons other than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender either
by telephone or by e-mail and delete the material from any computer.
Thank you for your cooperation."

Follow-Ups:
- Re: delegation attribute within a signed message
  - From: Denis Pinkas

Prev by Date: Attribute Certificate Policies Extension
Next by Date: Re: Fwd: PKI Forum
Previous by thread: Attribute Certificate Policies Extension
Next by thread: Re: delegation attribute within a signed message
Index(es):
- Date
- Thread