 |
 |
 |
 |
|
 |
|
 |
|
 |
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
1 - The document goes beyond specifying how to determine if a messageThe text may be misleading. but there is 'a successful', not just 'successful'. Maybe
is validly signed by a given signer. The core of the dispute is the following proposed sentence:
| When the collection represents more than one signature, the successful | validation of one of signature from each signer ought to be | treated as a successful validation of the signed-data content type.
This sentence implicitly states that the document as a whole is well signed when all the signers have signed it !!! It cannot stay like that.
The intent was to say the message was validly signed by a given signer, if any of the digital signatures from that signer is valid.
I think there is consensus.
The key question is first : How can the CMS engine (*not* the application) determine which digital signatures are from the same signer.I understand that this is out of scope of the document. I don't says that I agree.
The second point (and I have not mentionned this argument before) is that saying that "the message was validly signed by a given signer, if any of the digital signatures from that signer is valid" only works if the algorithms used are *all* considered as secure. A few words in the security considerations section (only 3 lines today) would certainly help to take care of that point.Since a non secure algorithm would be rejected, the signature would not be validated. But
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ietf mailing list Ietf at ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.