[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Signing the hash of the signer's certficate

To: ietf-pkix@xxxxxxx
Subject: Re: Signing the hash of the signer's certficate
From: Jean-Marc Desperrier <jmdesp@xxxxxxx>
Date: Wed, 10 Mar 2004 17:16:30 +0100
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:) Gecko/20040226

Anders Rundgren wrote:

It seems that neither CMS nor XML Dsig explicitly support signing the hash of the signer's certificate.

It was not included directly inside RFC2630, but inside a RFC that followed it shortly : RFC2634.

The extension can be placed as a signed attribute inside any CMS or pkcs#7 message.

I understand that the reason for this addition was to thwart
changing the client certificate.
However, there must be a considerable difficulty finding a client certificate with an identical public key

Read RFC2634 chapter 5 and you will see the true reasons why this should be done :

http://www.zvon.org/tmRFC/RFC2634/Output/chapter5.html

References:
- Signing the hash of the signer's certficate
  - From: Anders Rundgren

Prev by Date: Signing the hash of the signer's certficate
Next by Date: Re: Signing the hash of the signer's certficate
Previous by thread: Signing the hash of the signer's certficate
Next by thread: Re: Signing the hash of the signer's certficate
Index(es):
- Date
- Thread