[pkix] Redundant signature algorithm info in certs.

"Erik Andersen" <era@x500.eu> Tue, 24 May 2016 13:08 UTC

Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A3AF712D7D7 for <pkix@ietfa.amsl.com>; Tue, 24 May 2016 06:08:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.851
X-Spam-Status: No, score=0.851 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_WEB=0.77] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 4FA0gVHkbtLW for <pkix@ietfa.amsl.com>; Tue, 24 May 2016 06:08:45 -0700 (PDT)
Received: from mail02.dandomain.dk (mail02.dandomain.dk []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DA1612D783 for <pkix@ietf.org>; Tue, 24 May 2016 06:06:58 -0700 (PDT)
Received: from Morten ([]) by mail02.dandomain.dk (DanDomain Mailserver) with ASMTP id 2201605241506531446; Tue, 24 May 2016 15:06:53 +0200
From: "Erik Andersen" <era@x500.eu>
To: "PKIX" <pkix@ietf.org>, "Directory list" <x500standard@freelists.org>
Date: Tue, 24 May 2016 15:06:56 +0200
Message-ID: <000701d1b5bd$267b0d60$73712820$@x500.eu>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0008_01D1B5CD.EA0515E0"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AdG1uyUAKBrVe/+ITKKOuVylulvtQw==
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/WM8IvdewHFZBFEXnhEaeOoxJk7w>
Subject: [pkix] Redundant signature algorithm info in certs.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2016 13:08:48 -0000

The question about apparently redundant signature algorithm information in
public-key certificates, attribute certificates and CRLs has been raised
before. It seems clear that by including the signature algorithm within the
body of the cert, it is protected by the signature. But why does the
algorithm then has to be part of the signature itself?


I am not suggesting to change current specifications. The question could be
relevant for new  signed structures developed by other specifications.