RE: Who has tried some or all of the S/MIME examples?

"Pawling, John" <John.Pawling@DigitalNet.com> Thu, 08 May 2003 19:42 UTC

Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA06449 for <smime-archive@lists.ietf.org>; Thu, 8 May 2003 15:42:20 -0400 (EDT)
Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h48JL1i2092127 for <ietf-smime-bks@above.proper.com>; Thu, 8 May 2003 12:21:01 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h48JL1kC092126 for ietf-smime-bks; Thu, 8 May 2003 12:21:01 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from gghqex3.gfgsi.com (netva01.getronicsgov.com [67.105.229.98]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h48JKui2092109; Thu, 8 May 2003 12:21:00 -0700 (PDT) (envelope-from John.Pawling@DigitalNet.com)
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: Who has tried some or all of the S/MIME examples?
Date: Thu, 08 May 2003 15:20:57 -0400
Message-ID: <E82B05C2BA733C49999291EA4872CA1506A977@gghqex3.gfgsi.com>
Thread-Topic: Who has tried some or all of the S/MIME examples?
Thread-Index: AcMVlKcg8DWOaq3GQvSWovPQnHulXgAAg8xg
From: "Pawling, John" <John.Pawling@DigitalNet.com>
To: Russ Housley <housley@vigilsec.com>, blake@brutesquadlabs.com, phoffman@imc.org
Cc: ietf-smime@imc.org, ietf-smime-examples@imc.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h48JL0i3092116
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 8bit

All,

DigitalNet agrees with Russ, Blake and Jim.  We will generate a new
example 5.1 message that includes the id-dsa-with-sha1 OID.

====================================================
John Pawling, John.Pawling@DigitalNet.com
DigitalNet (formerly Getronics Government Solutions)
===================================================



-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com] 
Sent: Thursday, May 08, 2003 2:47 PM
To: blake@brutesquadlabs.com; phoffman@imc.org
Cc: ietf-smime@imc.org; ietf-smime-examples@imc.org
Subject: RE: Who has tried some or all of the S/MIME examples?


I believe that we should be using id-dsa-with-sha1.

Russ


 > > 5.1.bin - failed
 > > 	1.  signatureAlgorithm is 1.2.840.10040.4.1 not
1.2.840.10040.4.3
 >
 > From RFC3370, section 3.1:
 >
 >    The algorithm identifier for DSA with SHA-1 signature values is:
 >
 >       id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
 >           us(840) x9-57 (10040) x9cm(4) 3 }
 >
 >    When the id-dsa-with-sha1 algorithm identifier is used, the
 >    AlgorithmIdentifier parameters field MUST be absent.
 >
 >
 > From RFC2630, section 12.2.1:
 >
 >    The DSA signature algorithm is defined in FIPS Pub 186 [DSS].  DSA
is
 >    always used with the SHA-1 message digest algorithm.  The
algorithm
 >    identifier for DSA is:
 >
 >       id-dsa-with-sha1 OBJECT IDENTIFIER ::=  { iso(1) member-body(2)
 >           us(840) x9-57 (10040) x9cm(4) 3 }
 >
 >    The AlgorithmIdentifier parameters field must not be present.
 >
 >
 > From RFC2633, section 2.2:
 >
 >    Sending and receiving agents MUST support id-dsa defined in [DSS].
 >    The algorithm parameters MUST be absent (not encoded as NULL).
 >
 >
 > From RFC2633, Appendix A:
 >
 > -- id-dsa OBJECT IDENTIFIER ::=
 > --    {iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 }
 >
 >
 > From rfc2633bis-03:
 >
 > Receiving agents MUST support id-dsa defined in [CMSALG]. The
 > algorithm parameters MUST be absent (not encoded as NULL).
 > Receiving agents MUST support rsaEncryption, defined in [CMSALG].
 >
 >
 > From RFC3370, section 3.1:
 >
 >       id-dsa OBJECT IDENTIFIER ::= { iso(1) member-body(2)
 >           us(840) x9-57 (10040) x9cm(4) 1 }
 >
 >
 > So the bottom line is that CMS says one thing
 > (id-dsa-with-sha1), and MSG says something else (id-dsa).
 > Consensus welcome.  We went round and round about this at one
 > point, due to the use of the rsaEncryption value vs. the use
 > of the sha-1WithRSAEncryption value.
 >
 > Recommend accept both, emit id-dsa-with-sha1, change the
 > samples to use id-dsa-with-sha1 and changing rfc2633bis to say:
 >
 >
 > 2.2 SignatureAlgorithmIdentifier
 >
 > Receiving agents MUST support id-dsa-with-sha1 defined in
 > [CMSALG]. The algorithm parameters MUST be absent (not
 > encoded as NULL). Receiving agents MUST support
 > rsaEncryption, defined in [CMSALG].
 >
 > Sending agents MUST support either id-dsa-with-sha1 or rsaEncryption.
 >
 > Note that S/MIME v3 clients might only implement signing or
 > signature verification using id-dsa-with-sha1, and might also
 > use id-dsa as an AlgorithmIdentifier in this field. Receiving
 > clients SHOULD recognize id-dsa as equivalent to
 > id-dsa-with-sha1, and sending clients MUST use
 > id-dsa-with-sha1 if using that algorithm. Also note that
 > S/MIME v2 clients are only capable of verifying digital
 > signatures using the rsaEncryption algorithm.
 >
 > Blake
 >