Thanks everyone for the information. Ollie -----Original Message----- From: Eric Rescorla [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 05, 2000 10:38 PM To: [EMAIL PROTECTED] Subject: Re: PKCS7_encrypt with a DSA certificate? Eric Murray <[EMAIL PROTECTED]> writes: > > 1. PKCS#7 requires RSA. > > No, it does not (except for section 9.5, Compatibility with > Privacy-Enhanced Mail, which I assume we're not talking about). > I'm reading version 1.5. rsaEncryption (the doc's shorthand name > for the RSA encryption OID) is mentioned as an example for both > DigestEncryptionAlgorithmIdentifier and KeyEncryptionAlgorithmIdentifier > (i.e. signing and encrypting) but it's not required. What're you reading > that says it does? The version I have could be out of date, but > RFC 2315 looks to be the same content... Yes, in theory PKCS#7 has substitutable algorithms. In practice, however, the only algorithm that it specifies is RSA. That's why CMS was done in the first place. > > 2. It doesn't really make sense to talk about encrypting with DSA. > > Yea I know, I thought it was obvious enough not to mention it > and that the original poster really meant signing not encrypting. Actually, if you read PKCS#7 carefully, it can't be used with with DSA either. Consider the clause in S 9.2 and 9.4 which discusses DigestEncryptionAlgorithm. This isn't meaningful in the context of DSA. In theory, PKCS#7 has substitutable algorithms. In practice it has no support for any other algorithm than RSA. Moreover, CMS had to do significant violence to the ASN.1 to permit the use of DH. CMS messages that use DH key exchanges are not legal PKCS#7 messages at all. I.e. the BER isn't compatible. -Ekr ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]