|
We have a question related to using the signature policy in
the CAdES signatures (EPES) defined in RFC-5126. Here is the relevant
structure: SignaturePolicyId ::= SEQUENCE {
sigPolicyIdentifier SigPolicyId,
sigPolicyHash SigPolicyHash,
sigPolicyQualifiers SEQUENCE SIZE (1..MAX) OF
SigPolicyQualifierInfo OPTIONAL } SigPolicyId ::= OBJECT IDENTIFIER SigPolicyHash ::= OtherHashAlgAndValue OtherHashAlgAndValue ::= SEQUENCE {
hashAlgorithm
AlgorithmIdentifier,
hashValue OtherHashValue } SigPolicyQualifierInfo ::= SEQUENCE {
sigPolicyQualifierId SigPolicyQualifierId,
sigQualifier ANY DEFINED BY sigPolicyQualifierId } SigPolicyQualifierId ::= OBJECT IDENTIFIER id-spq-ets-uri OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16)
id-spq(5) 1 } SPuri ::= IA5String id-spq-ets-unotice OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16)
id-spq(5) 2 } SPUserNotice ::= SEQUENCE {
noticeRef NoticeReference OPTIONAL,
explicitText DisplayText OPTIONAL } NoticeReference ::= SEQUENCE {
organization DisplayText,
noticeNumbers SEQUENCE OF INTEGER } DisplayText ::= CHOICE {
visibleString VisibleString (SIZE (1..200)),
bmpString BMPString (SIZE (1..200)),
utf8String UTF8String (SIZE (1..200)) } In the given structure for CAdES-EPES signature, its is not
clear that whether are we computing the hash "SigPolicyHash" over the
document at "SPuri" and/or over the "SPUserNotice" Are the following combinations valid? 1) Only compute hash over document present at SPURI if only
SPUri is set 2) Only compute hash over SPUserNotice if only
SPUserNotice is set 3) Compute hash over document at SPURI and SPUserNotice if
both are set Please clarify it. Thanks! Regards, Yasir Khan Ascertia Ltd t. +44 (0)1483 685500 ----------------------------------------------------------------- |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature