Re: [dss] CMS (request for comments)

[Trevor Perrin <trevp@trevp.net>]

At 09:22 PM 4/23/2004 +0200, Andreas Kuehne wrote:
>>>Why should I do client-side hashing in this case? The server will get 
>>>the complete content anyway?
>>
>>Right - the benefits of client-side hashing (bandwidth-savings, privacy) 
>>can't be achieved.
>>
>>Actually, that's not quite true - the client could re-code the enveloping 
>>signature as a detached signature.  In other words, the client could 
>>remove the enveloped data.  This requires changing the length fields 
>>within the SignedData, so it's a little more surgery than just extracting 
>>SignerInfo's and certificates, but it's possible.
>
>In 1980 I built my first modem with 300 baud. This gadget would have 
>caused the need for this otptimization.

Well, I dunno - input documents could be large (for code-signing, say, or 
an S/MIME attachment).


>I would suggest the usual approach : The core rejects 
>co-/counter-signatures, a special profiles handles it.

Yeah, after looking into it some more, it seems that co/counter-signatures 
in CMS aren't used much if at all.  So I agree with not supporting them in 
core.  Someone can write a more elaborate profile if they want.


Trevor