[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] CMS (request for comments)
Greetings DSSers,
We have 2 proposals for CMS verify. We need people to review and vote for
one or the other, so we can finish up the core!
Background: a CMS enveloping or detached signature is a "SignedData", which
can contain multiple "SignerInfo"s. Each SignerInfo functions as a
co-signature or counter-signature.
SignerInfo approach
------------------------------
- client extracts a SignerInfo from SignedData
- client sends SignerInfo inside <SignatureObject>/<Base64Signature>
- client sends enveloped or detached content as an input document
- PROS:
- allows client to verify any co-signature or counter-signature
- allows client to use client-side hashing
- CONS:
- may require modifying CMS libraries to support extraction of a
SignerInfo (on the client-side) and its verification on the server-side
SignedData approach
------------------------------
- client sends SignedData inside <SignatureObject>/<Base64Signature> (as
above)
- if a detached signature, content comes in an input document
- if an enveloping signature, content is inside SignedData (and no input
documents)
- if there are co-signatures or counter-signatures, the server will
reject the request
- PROS:
- easy to do with pre-existing CMS libraries
- CONS:
- doesn't support client-side hashing for enveloping signatures
- doesn't support co-signatures or counter-signatures
- requires making <InputDocuments> optional
Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]