[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] CMS (request for comments)
Intermixed. -----Original Message----- From: Andreas Kuehne [mailto:kuehne@klup.de] Sent: April 22, 2004 10:19 AM To: Trevor Perrin Cc: dss@lists.oasis-open.org Subject: Re: [dss] CMS (request for comments) Hi Trevor ! > SignerInfo approach > ------------------------------ > - client extracts a SignerInfo from SignedData > - client sends SignerInfo inside <SignatureObject>/<Base64Signature> > - client sends enveloped or detached content as an input document In the case of detached content, the certificates get lost, aren't they ? Afaik they are not included in the CMS-SignerInfo, just referenced by 'IssuerAndSerialNumber' ... <ed> This is correct. The certificate would have to be pulled in prior to commencing verification. Would present another challenge for the DSS Implementer. </ed> > - PROS: > - allows client to verify any co-signature or counter-signature > - allows client to use client-side hashing > - CONS: > - may require modifying CMS libraries to support extraction of a > SignerInfo (on the client-side) and its verification on the > server-side > > SignedData approach > ------------------------------ > - client sends SignedData inside <SignatureObject>/<Base64Signature> > (as above) > - if a detached signature, content comes in an input document > - if an enveloping signature, content is inside SignedData (and no > input documents) > - if there are co-signatures or counter-signatures, the server will > reject the request > - PROS: > - easy to do with pre-existing CMS libraries > - CONS: > - doesn't support client-side hashing for enveloping signatures Why should I do client-side hashing in this case ? The server will get the complete content anyway ? It can do hashing whenever it's appropriate ! > - doesn't support co-signatures or counter-signatures Hmm, if he server got the complete SignedData structure, what's holding it back from calling a pre-existing CMS library fully capable of verifying any type of co- and counter-signatures ? Maybe there is a problem with returning multipe <SignerIdentity> elements ? Do I missed an important issue ? <ed> Yes this is correct, the only issue is restricting selected Optional Inputs when multiple signatures are present. A reasonable compromise. </ed> > - requires making <InputDocuments> optional Yes, I don't like weakening the schema. But I would accept this for enabling CMS in the core. <ed> Agreed. </ed> Greetings Andreas To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php .
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]