RE: Who has tried some or all of the S/MIME examples?
"Blake Ramsdell" <blake@brutesquadlabs.com> Wed, 07 May 2003 23:16 UTC
Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA23008 for <smime-archive@lists.ietf.org>; Wed, 7 May 2003 19:16:49 -0400 (EDT)
Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h47Mxri2005291 for <ietf-smime-bks@above.proper.com>; Wed, 7 May 2003 15:59:53 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h47MxrUX005290 for ietf-smime-bks; Wed, 7 May 2003 15:59:53 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from brutesquadlabs.com (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h47Mxqi2005277; Wed, 7 May 2003 15:59:52 -0700 (PDT) (envelope-from blake@brutesquadlabs.com)
Received: from DEXTER ([192.168.0.4]) by brutesquadlabs.com with ESMTP ; Wed, 7 May 2003 15:59:49 -0700
From: Blake Ramsdell <blake@brutesquadlabs.com>
To: jimsch@exmsft.com, 'Paul Hoffman / IMC' <phoffman@imc.org>, ietf-smime@imc.org, ietf-smime-examples@imc.org
Subject: RE: Who has tried some or all of the S/MIME examples?
Date: Wed, 07 May 2003 15:59:49 -0700
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAgAaV731Zhk6UM1X43Z2mCAEAAAAA@brutesquadlabs.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Importance: Normal
In-Reply-To: <000001c314dd$6404f400$1700a8c0@soaringhawk.net>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit
> -----Original Message----- > From: Jim Schaad [mailto:jimsch@nwlink.com] > Sent: Wednesday, May 07, 2003 2:13 PM > To: 'Blake Ramsdell'; 'Paul Hoffman / IMC'; > ietf-smime@imc.org; ietf-smime-examples@imc.org > Subject: RE: Who has tried some or all of the S/MIME examples? > > 5.1.bin - failed > 1. signatureAlgorithm is 1.2.840.10040.4.1 not > 1.2.840.10040.4.3 From RFC3370, section 3.1: The algorithm identifier for DSA with SHA-1 signature values is: id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) x9-57 (10040) x9cm(4) 3 } When the id-dsa-with-sha1 algorithm identifier is used, the AlgorithmIdentifier parameters field MUST be absent. From RFC2630, section 12.2.1: The DSA signature algorithm is defined in FIPS Pub 186 [DSS]. DSA is always used with the SHA-1 message digest algorithm. The algorithm identifier for DSA is: id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) x9-57 (10040) x9cm(4) 3 } The AlgorithmIdentifier parameters field must not be present. From RFC2633, section 2.2: Sending and receiving agents MUST support id-dsa defined in [DSS]. The algorithm parameters MUST be absent (not encoded as NULL). From RFC2633, Appendix A: -- id-dsa OBJECT IDENTIFIER ::= -- {iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 } From rfc2633bis-03: Receiving agents MUST support id-dsa defined in [CMSALG]. The algorithm parameters MUST be absent (not encoded as NULL). Receiving agents MUST support rsaEncryption, defined in [CMSALG]. From RFC3370, section 3.1: id-dsa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) x9-57 (10040) x9cm(4) 1 } So the bottom line is that CMS says one thing (id-dsa-with-sha1), and MSG says something else (id-dsa). Consensus welcome. We went round and round about this at one point, due to the use of the rsaEncryption value vs. the use of the sha-1WithRSAEncryption value. Recommend accept both, emit id-dsa-with-sha1, change the samples to use id-dsa-with-sha1 and changing rfc2633bis to say: 2.2 SignatureAlgorithmIdentifier Receiving agents MUST support id-dsa-with-sha1 defined in [CMSALG]. The algorithm parameters MUST be absent (not encoded as NULL). Receiving agents MUST support rsaEncryption, defined in [CMSALG]. Sending agents MUST support either id-dsa-with-sha1 or rsaEncryption. Note that S/MIME v3 clients might only implement signing or signature verification using id-dsa-with-sha1, and might also use id-dsa as an AlgorithmIdentifier in this field. Receiving clients SHOULD recognize id-dsa as equivalent to id-dsa-with-sha1, and sending clients MUST use id-dsa-with-sha1 if using that algorithm. Also note that S/MIME v2 clients are only capable of verifying digital signatures using the rsaEncryption algorithm. Blake
- Who has tried some or all of the S/MIME examples? Paul Hoffman / IMC
- RE: Who has tried some or all of the S/MIME examp… Pawling, John
- RE: Who has tried some or all of the S/MIME examp… Blake Ramsdell
- RE: Who has tried some or all of the S/MIME examp… Jim Schaad
- RE: Who has tried some or all of the S/MIME examp… Blake Ramsdell
- RE: Who has tried some or all of the S/MIME examp… Jim Schaad
- RE: Who has tried some or all of the S/MIME examp… Russ Housley
- RE: Who has tried some or all of the S/MIME examp… Pawling, John