> * We now include a signature mechanism for the MUD files. It was always the > plan to do this. There were two choices: CMS/PKCS#7 or JWS. Again for > tooling's sake, so that people don't need to roll their own, especially for > anything security related, we've gone with CMS and a detached signature at > that. Thanks to John Bashinsky and others for their advice on this. This > area in particular could stand close scrutiny. Wouldn’t CMS still require serialization/canonicalization?
Tooling-wise, OpenSSL is indeed prevalent (and seems to do CMS quite well) – but JWS tools are around, so you wouldn’t need to roll your own if you decided to go that way. Do I need the ability to tell whether a MUD file was not signed or its signature was deleted? > Comments and edits are very welcome! Have to settle for questions for now. :-)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
