[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Signing the hash of the signer's certficate
Thanx Denis,
Seems reasonable.
/anders
----- Original Message -----
From: "Denis Pinkas" <Denis.Pinkas@xxxxxxxx>
To: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Cc: "pkix" <ietf-pkix@xxxxxxx>
Sent: Wednesday, March 10, 2004 17:51
Subject: Re: Signing the hash of the signer's certficate
Anders,
> It seems that neither CMS nor XML Dsig explicitly
> support signing the hash of the signer's certificate.
>
> But this has been added to ETSI's XAdES.
... and is present in RFC 3126 (Electronic Signature Formats
for long term electronic signatures).
> I understand that the reason for this addition was to thwart
> changing the client certificate.
> However, there must be a considerable difficulty
> finding a client certificate with an identical public key
> (and a provable possession of a matching private key),
> which is required in order to succeed with this attack.
Asking for a client certificate with an identical public key,
when the CA has NOT performed a POP, might be easy.
When the hash of the signer's certificate is signed, it does not matter
anymore whether or not the CA or the RA has performed a POP at registration
time.
Signing the hash of the signer's certificate is like doing a POP, but in
real time for each signature with the advantage that it can be immediately
verified by a verifier.
This also means POP does NOT need to be performed at registration time by
RAs for keys usable for NR purposes, if they are only used in the context of
XAdES or RFC 3126.
Denis
> (and a provable possession of a matching private key),
> Any thoughts about this?
>
> Anders R