OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [dss] CMS (request for comments)

Intermixed. 

-----Original Message-----
From: Andreas Kuehne [mailto:kuehne@klup.de] 
Sent: April 22, 2004 10:19 AM
To: Trevor Perrin
Cc: dss@lists.oasis-open.org
Subject: Re: [dss] CMS (request for comments)

Hi Trevor !

> SignerInfo approach
> ------------------------------
>  - client extracts a SignerInfo from SignedData
>  - client sends SignerInfo inside <SignatureObject>/<Base64Signature>
>  - client sends enveloped or detached content as an input document

In the case of detached content, the certificates get lost, aren't they ?
Afaik they are not included in the CMS-SignerInfo, just referenced by
'IssuerAndSerialNumber' ...

<ed>
This is correct. The certificate would have to be pulled in prior to
commencing verification. Would present another challenge for the DSS
Implementer.
</ed>

>  - PROS:
>     - allows client to verify any co-signature or counter-signature
>     - allows client to use client-side hashing
>  - CONS:
>     - may require modifying CMS libraries to support extraction of a 
> SignerInfo (on the client-side) and its verification on the 
> server-side

>
> SignedData approach
> ------------------------------
>  - client sends SignedData inside <SignatureObject>/<Base64Signature>
> (as above)
>  - if a detached signature, content comes in an input document
>  - if an enveloping signature, content is inside SignedData (and no 
> input documents)
>  - if there are co-signatures or counter-signatures, the server will 
> reject the request
>  - PROS:
>    - easy to do with pre-existing CMS libraries
>  - CONS:
>    - doesn't support client-side hashing for enveloping signatures

Why should I do client-side hashing in this case ? The server will get the
complete content anyway ? It can do hashing whenever it's appropriate !

>    - doesn't support co-signatures or counter-signatures

Hmm, if he server got the complete SignedData structure, what's holding it
back from calling a pre-existing CMS library fully capable of verifying any
type of  co- and counter-signatures ? Maybe there is a problem with
returning multipe <SignerIdentity> elements ?
Do I missed an important issue ?

<ed>
Yes this is correct, the only issue is restricting selected Optional Inputs
when multiple signatures are present. A reasonable compromise.
</ed>

>    - requires making <InputDocuments> optional

Yes, I don't like weakening the schema. But I would accept this for enabling
CMS in the core.

<ed>
Agreed.
</ed>


Greetings

Andreas


To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php
.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]