RE: Who has tried some or all of the S/MIME examples?
"Pawling, John" <John.Pawling@DigitalNet.com> Thu, 08 May 2003 19:42 UTC
Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA06449 for <smime-archive@lists.ietf.org>; Thu, 8 May 2003 15:42:20 -0400 (EDT)
Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h48JL1i2092127 for <ietf-smime-bks@above.proper.com>; Thu, 8 May 2003 12:21:01 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h48JL1kC092126 for ietf-smime-bks; Thu, 8 May 2003 12:21:01 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from gghqex3.gfgsi.com (netva01.getronicsgov.com [67.105.229.98]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h48JKui2092109; Thu, 8 May 2003 12:21:00 -0700 (PDT) (envelope-from John.Pawling@DigitalNet.com)
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: Who has tried some or all of the S/MIME examples?
Date: Thu, 08 May 2003 15:20:57 -0400
Message-ID: <E82B05C2BA733C49999291EA4872CA1506A977@gghqex3.gfgsi.com>
Thread-Topic: Who has tried some or all of the S/MIME examples?
Thread-Index: AcMVlKcg8DWOaq3GQvSWovPQnHulXgAAg8xg
From: "Pawling, John" <John.Pawling@DigitalNet.com>
To: Russ Housley <housley@vigilsec.com>, blake@brutesquadlabs.com, phoffman@imc.org
Cc: ietf-smime@imc.org, ietf-smime-examples@imc.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h48JL0i3092116
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 8bit
All, DigitalNet agrees with Russ, Blake and Jim. We will generate a new example 5.1 message that includes the id-dsa-with-sha1 OID. ==================================================== John Pawling, John.Pawling@DigitalNet.com DigitalNet (formerly Getronics Government Solutions) =================================================== -----Original Message----- From: Russ Housley [mailto:housley@vigilsec.com] Sent: Thursday, May 08, 2003 2:47 PM To: blake@brutesquadlabs.com; phoffman@imc.org Cc: ietf-smime@imc.org; ietf-smime-examples@imc.org Subject: RE: Who has tried some or all of the S/MIME examples? I believe that we should be using id-dsa-with-sha1. Russ > > 5.1.bin - failed > > 1. signatureAlgorithm is 1.2.840.10040.4.1 not 1.2.840.10040.4.3 > > From RFC3370, section 3.1: > > The algorithm identifier for DSA with SHA-1 signature values is: > > id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) > us(840) x9-57 (10040) x9cm(4) 3 } > > When the id-dsa-with-sha1 algorithm identifier is used, the > AlgorithmIdentifier parameters field MUST be absent. > > > From RFC2630, section 12.2.1: > > The DSA signature algorithm is defined in FIPS Pub 186 [DSS]. DSA is > always used with the SHA-1 message digest algorithm. The algorithm > identifier for DSA is: > > id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) > us(840) x9-57 (10040) x9cm(4) 3 } > > The AlgorithmIdentifier parameters field must not be present. > > > From RFC2633, section 2.2: > > Sending and receiving agents MUST support id-dsa defined in [DSS]. > The algorithm parameters MUST be absent (not encoded as NULL). > > > From RFC2633, Appendix A: > > -- id-dsa OBJECT IDENTIFIER ::= > -- {iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 } > > > From rfc2633bis-03: > > Receiving agents MUST support id-dsa defined in [CMSALG]. The > algorithm parameters MUST be absent (not encoded as NULL). > Receiving agents MUST support rsaEncryption, defined in [CMSALG]. > > > From RFC3370, section 3.1: > > id-dsa OBJECT IDENTIFIER ::= { iso(1) member-body(2) > us(840) x9-57 (10040) x9cm(4) 1 } > > > So the bottom line is that CMS says one thing > (id-dsa-with-sha1), and MSG says something else (id-dsa). > Consensus welcome. We went round and round about this at one > point, due to the use of the rsaEncryption value vs. the use > of the sha-1WithRSAEncryption value. > > Recommend accept both, emit id-dsa-with-sha1, change the > samples to use id-dsa-with-sha1 and changing rfc2633bis to say: > > > 2.2 SignatureAlgorithmIdentifier > > Receiving agents MUST support id-dsa-with-sha1 defined in > [CMSALG]. The algorithm parameters MUST be absent (not > encoded as NULL). Receiving agents MUST support > rsaEncryption, defined in [CMSALG]. > > Sending agents MUST support either id-dsa-with-sha1 or rsaEncryption. > > Note that S/MIME v3 clients might only implement signing or > signature verification using id-dsa-with-sha1, and might also > use id-dsa as an AlgorithmIdentifier in this field. Receiving > clients SHOULD recognize id-dsa as equivalent to > id-dsa-with-sha1, and sending clients MUST use > id-dsa-with-sha1 if using that algorithm. Also note that > S/MIME v2 clients are only capable of verifying digital > signatures using the rsaEncryption algorithm. > > Blake >
- Who has tried some or all of the S/MIME examples? Paul Hoffman / IMC
- RE: Who has tried some or all of the S/MIME examp… Pawling, John
- RE: Who has tried some or all of the S/MIME examp… Blake Ramsdell
- RE: Who has tried some or all of the S/MIME examp… Jim Schaad
- RE: Who has tried some or all of the S/MIME examp… Blake Ramsdell
- RE: Who has tried some or all of the S/MIME examp… Jim Schaad
- RE: Who has tried some or all of the S/MIME examp… Russ Housley
- RE: Who has tried some or all of the S/MIME examp… Pawling, John