#79: Precertificate signature must be over something other than just the TBSCertificate
Comment (by [email protected]): It is unclear to me whether this is really a problem. RFC 5652 says: "The input to the signature generation process includes the result of the message digest calculation process and the signer's private key. The details of the signature generation depend on the signature algorithm employed." It then defers to RFC 5280 for the actual definition of the algorithms. AFAIK, RFC 5280 only specifies algorithms that are intended to work on bulk data (i.e. TBSCertificates), and hence they always digest the data first. This would imply that the signature would be over a digest of a digest. However, its not the clearest RFC I ever read. If that interpretation is correct, then there is no problem. If there is a problem, I agree that option 2 is better. -- -------------------------------------+------------------------------------- Reporter: | Owner: [email protected] | [email protected] Type: defect | Status: assigned Priority: blocker | Milestone: Component: rfc6962-bis | Version: Severity: - | Resolution: Keywords: | -------------------------------------+------------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/trans/trac/ticket/79#comment:2> trans <http://tools.ietf.org/trans/> _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
