Re: using application/octet-stream in multipart/encrypted

Jueneman@gte.com
Thu, 07 Mar 1996 14:27:28 EST

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: Barton E. Schaefer: "Re: using application/octet-stream in multipart/encrypted"
Maybe in reply to: Michael Elkins: "using application/octet-stream in multipart/encrypted"

>Could someone please refresh my memory as to why the "consensus" was to
>use application/<specific> instead of application/octet-stream in the
>second part of a multipart/encrypted message?  Given the current state of
>things, this doesn't seem to be so bad (PGP doesn't use the first part,
>and I don't think multipart S/MIME will either), but I have concerns
>about what will happen in the future.  If RFC1847 is indeed adopted and
>changed so that the first part can be a multipart containing several
>different certificates (but with the same key, I suppose), then the second
>body really isn't specific to any system...

I'm not up to speed on the basic issue you are discussing, but your 
parenthetical remark "(but with the same key, I suppose)" causes me a great 
deal of heartburn.

I am willing to concede that there may be certain, VERY unusual circumstances 
where a certificate may have to be reissued with the same public key as an old 
one, but these should be extremely rare. (An example is the cessation of 
operation of a CA, including a change of name that might be caused by a merger 
or acquisition. If some other organization takes over the CA's responsibility, 
including those implied by the CA policy to the last tittle and jot, then I 
suppose it would be OK to reuse the old public key so as to avoid trashing the 
entire certificate hierarchy at that point.)

Unless the certificate itself is bound in with the signed message, which is not 
normally the case, then using two different certificates with the same key 
makes it cryptographically impossible to determine which certificate in fact 
was supposed to be used. Since the entire point of having a certificate is to 
bind the public key to some form of name, identity, and/or 
attribute/permissions, having two certificates with the same public key 
introduces an intolerable ambiguity.

Bob

Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
Jueneman@gte.com
1-617/466-2820

"The opinions expressed are my own, and may not 
reflect the official position of GTE, if any, on this subject."

Previous message: Barton E. Schaefer: "Re: using application/octet-stream in multipart/encrypted"
Maybe in reply to: Michael Elkins: "using application/octet-stream in multipart/encrypted"