Re: Signing the hash of the signer's certficate

[Denis Pinkas <Denis.Pinkas@xxxxxxxx>]

Anders,

> It seems that neither CMS nor XML Dsig explicitly
> support signing the hash of the signer's certificate.
>
> But this has been added to ETSI's XAdES.

 ... and is present in RFC 3126 (Electronic Signature Formats
     for long term electronic signatures).

> I understand that the reason for this addition was to thwart
> changing the client certificate.

> However, there must be a considerable difficulty
> finding a client certificate with an identical public key
> (and a provable possession of a matching private key),
> which is required in order to succeed with this attack.

Asking for a client certificate with an identical public key,
when the CA has NOT performed a POP, might be easy.

When the hash of the signer's certificate is signed, it does not matter 
anymore whether or not the CA or the RA has performed a POP at registration 
time.

Signing the hash of the signer's certificate is like doing a POP, but in 
real time for each signature with the advantage that it can be immediately 
verified by a verifier.

This also means POP does NOT need to be performed at registration time by 
RAs for keys usable for NR purposes, if they are only used in the context of 
XAdES or RFC 3126.

Denis


> (and a provable possession of a matching private key),

> Any thoughts about this?
>
> Anders R