[sidr] Multi-signature support impact on SIDR documents.

Wed, 21 Jul 2010 06:27:07 -0700 

Hi WG,

This email is the last one on the set of emails related with multi-signature 
support. 

This email explore which changes would be needed in current SIDR documents to 
support multi-signatures in ROAs and Manifests objects.

        A) Multi-signature support for ROAS:    
Here is the result on the evaluation of the changes required for 
multi-signature support:

        - Multiple SignerInfo objects are expressly forbidden by section 2.1 of 
the draft-ietf-sidr-roa-format-06 document.

        - However, the verification  of a single  SignerInfo object is not 
require in the validation process: Section 3.

        - In several sections of the SIDR documents there are references to 
"the certificate" to refer to the EE certificate that carries the public key to 
validate a ROA object. This text would need to be modified.

        - ROA Validation: In a multiple signed ROA, there are multiple PKI 
hierarchies that could be used to validate a ROA. The validation using one PKI 
tree should be a sufficient condition to consider the ROA as valid. 


        B) Multi-signature support for Manifest:
Here is the result on the evaluation of the changes required for 
multi-signature support:
        - Conversely to what happens in the ROA document, the manifest document 
does no explicitly requires a single SignerInfo objets in section 4.1.6 and 
consequently there is not requirement of verification during the validation 
process of section 7.

        - However, there is a requirement of using one Manifest per CA, even if 
sharing the same publication point. If a Manifest is shared by different CAs 
which also use different crypto algorithms, we may need to help the relying 
parties to decide which documents it is able to verify and which one he is not. 
If we would like to support multiple signatures in the manifest, it would be 
useful to add the encryption algorithm OID in the FileAndHash objects inside 
the manifest.

        - Again, in several documents in the WG there are references to "the 
certificate" when referring to the EE certificate for validating the Manifest.


We look forward for your comments.

regard.

Roque (for the algorithm agility team).

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr

Reply via email to