#79: Precertificate signature must be over something other than just the TBSCertificate
Comment (by [email protected]): Replying to [comment:2 benl@…]: > It is unclear to me whether this is really a problem. OK, further investigation required. <snip> > If there is a problem, I agree that option 2 is better. Assuming for now that there is a problem... Erwann suggests: "Specify that the !EncapsulatedContentInfo MUST be some specific value (allocate an OID from IETF/IANA/whatever). RFC5652 states that if the !EncapsulatedContentInfo is not id-data, then the signedAttrs MUST be present (whence solution 2 will apply)." RFC5652 says that when signedAttrs is present... "it MUST contain, at a minimum, the following two attributes: A content-type attribute having as its value the content type of the !EncapsulatedContentInfo value being signed. Section 11.1 defines the content-type attribute. However, the content-type attribute MUST NOT be used as part of a countersignature unsigned attribute as defined in Section 11.4. A message-digest attribute, having as its value the message digest of the content. Section 11.2 defines the message-digest attribute." Putting just those two required attributes in signedAttrs seems sufficient. -- -------------------------------------+------------------------------------- Reporter: | Owner: [email protected] | [email protected] Type: defect | Status: assigned Priority: blocker | Milestone: Component: rfc6962-bis | Version: Severity: - | Resolution: Keywords: | -------------------------------------+------------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/trans/trac/ticket/79#comment:3> trans <http://tools.ietf.org/trans/> _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
