Re: x.509 signature clarification?

To: Joseph Galbraith <galb-list%vandyke.com@localhost>
Subject: Re: x.509 signature clarification?
From: Thor Simon <tls%cs.stevens-tech.edu@localhost>
Date: Thu, 5 Jul 2001 15:50:15 -0400

On Thu, Jul 05, 2001 at 01:09:39PM -0600, Joseph Galbraith wrote:
> 
> I'm tempted to suggest that the signature is in PKCS #7
> format, though this seems to be a bit of an overkill...
> it would however, address both the above problems, because
> the digest algorithm would be specified as part of the PKCS #7
> packet.  We might consider specifying a PKCS #7 signature,
> with an "external signature" and no included certificates
> or CRL information.

Actually, I think that if we were to go with PKCS #7 (which might
not really be such a bad idea) we'd want to fill out the certificate
as fully as possible, including CRL information.  Look what's happened
to people who've failed to do so (e.g. VeriSign, who ended up in the
unenviable position of having issued bogus certificates but being unable
to revoke them!).

Certainly we should not specify that the CRL field is *not* to be
filled in.

Thor

Follow-Ups:
- Re: x.509 signature clarification?
  - From: Joseph Galbraith

References:
- x.509 signature clarification?
  - From: Joseph Galbraith

Prev by Date: x.509 signature clarification?
Next by Date: Re: x.509 signature clarification?
Previous by Thread: x.509 signature clarification?
Next by Thread: Re: x.509 signature clarification?
Indexes:

Home | Main Index | Thread Index | Old Index