Thanks everyone for the information.

Ollie

-----Original Message-----
From: Eric Rescorla [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 05, 2000 10:38 PM
To: [EMAIL PROTECTED]
Subject: Re: PKCS7_encrypt with a DSA certificate?


Eric Murray <[EMAIL PROTECTED]> writes:
> > 1. PKCS#7 requires RSA. 
> 
> No, it does not (except for section 9.5, Compatibility with
> Privacy-Enhanced Mail, which I assume we're not talking about).
> I'm reading version 1.5.  rsaEncryption (the doc's shorthand name
> for the RSA encryption OID) is mentioned as an example for both
> DigestEncryptionAlgorithmIdentifier and KeyEncryptionAlgorithmIdentifier
> (i.e. signing and encrypting) but it's not required.  What're you reading
> that says it does?  The version I have could be out of date, but
> RFC 2315 looks to be the same content...
Yes, in theory PKCS#7 has substitutable algorithms. In practice,
however, the only algorithm that it specifies is RSA. That's why
CMS was done in the first place.

> > 2. It doesn't really make sense to talk about encrypting with DSA.
> 
> Yea I know, I thought it was obvious enough not to mention it
> and that the original poster really meant signing not encrypting.
Actually, if you read PKCS#7 carefully, it can't be used with 
with DSA either. Consider the clause in S 9.2 and 9.4 which discusses
DigestEncryptionAlgorithm. This isn't meaningful in the context
of DSA. 

In theory, PKCS#7 has substitutable algorithms. In practice it has
no support for any other algorithm than RSA. Moreover, CMS had to
do significant violence to the ASN.1 to permit the use of DH.
CMS messages that use DH key exchanges are not legal PKCS#7 messages
at all. I.e. the BER isn't compatible.

-Ekr    


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to