Rob,
On 11/06/15 22:42, Stephen Kent wrote:
what does it mean to not be "an X509 signature"?
I thought the intent was to use a CMS object, and thus the signature
would be defined by that (profiled) CMS object.
Hi Steve. That's correct.
At the top of ticket #79 I wrote:
"If I understand the CMS spec correctly, then we're currently defining
a Precertificate to be a CMS structure that contains a TBSCertificate
and a signature over just that TBSCertificate.
That means that the components of a Precertificate can be trivially
rearranged into an X.509 certificate with a valid signature!"
It turns out that I didn't understand correctly. :-)
happens to all of us ;-)
Ben added some text to help clarify the situation:
"Note that, because of the structure of CMS, the signature on the CMS
object will not be a valid X.509v3 signature and so cannot be used to
construct a certificate from the precertificate."
I might say: "The signature on the CMS structure used to convey a
pre-certificate
is not the same as the signature that appears in the X.509 certificate,
per se."
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
