Cryptographic Message Syntax (CMS) Multiple Signer Clarification
RFC 4853
Document | Type |
RFC - Proposed Standard
(April 2007; Errata)
Updates RFC 3852
|
|
---|---|---|---|
Author | Russ Housley | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4853 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Sam Hartman | ||
Send notices to | (None) |
Network Working Group R. Housley Request for Comments: 4853 Vigil Security Updates: 3852 April 2007 Category: Standards Track Cryptographic Message Syntax (CMS) Multiple Signer Clarification Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This document updates the Cryptographic Message Syntax (CMS), which is published in RFC 3852. This document clarifies the proper handling of the SignedData protected content type when more than one digital signature is present. Housley Standards Track [Page 1] RFC 4853 CMS Multiple Signer Clarification April 2007 1. Introduction This document updates the Cryptographic Message Syntax [CMS]. The CMS SignedData protected content type allows multiple digital signatures, but the specification is unclear about the appropriate processing by a recipient of such a signed content. This document provides replacement text for a few paragraphs, making it clear that the protected content is validly signed by a given signer, if any of the digital signatures from that signer are valid. This property is especially important in two cases. First, when the recipients do not all implement the same digital signature algorithm, a signer can sign the content with several different digital signature algorithms so that each of the recipients can find an acceptable signature. For example, if some recipients support RSA and some recipients support ECDSA, then the signer can generate two signatures, one with RSA and one with ECDSA, so that each recipient will be able to validate one of the signatures. Second, when a community is transitioning one-way hash functions or digital signature algorithms, a signer can sign the content with the older and the newer signature algorithms so that each recipient can find an acceptable signature, regardless of their state in the transition. For example, consider a transition from RSA with SHA-1 to RSA with SHA-256. The signer can generate two signatures, one with SHA-1 and one with SHA-256, so that each recipient will be able to validate at least one of the RSA signatures. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [STDWORDS]. 3. Update to RFC 3852, Section 5: Signed-data Content Type RFC 3852, section 5, the next to the last paragraph says: | A recipient independently computes the message digest. This message | digest and the signer's public key are used to verify the signature | value. The signer's public key is referenced either by an issuer | distinguished name along with an issuer-specific serial number or by | a subject key identifier that uniquely identifies the certificate | containing the public key. The signer's certificate can be included | in the SignedData certificates field. Housley Standards Track [Page 2] RFC 4853 CMS Multiple Signer Clarification April 2007 This block of text is replaced with: | A recipient independently computes the message digest. This message | digest and the signer's public key are used to verify the signature | value. The signer's public key is referenced either by an issuer | distinguished name along with an issuer-specific serial number or by | a subject key identifier that uniquely identifies the certificate | containing the public key. The signer's certificate can be included | in the SignedData certificates field. | | When more than one signature is present, the successful validation | of one signature associated with a given signer is usually treated | as a successful signature by that signer. However, there are some | application environments where other rules are needed. An | application that employs a rule other than one valid signature for | each signer must specify those rules. Also, where simple matching of | the signer identifier is not sufficient to determine whether the | signatures were generated by the same signer, the application | specification must describe how to determine which signatures were | generated by the same signer. Support of different communities of | recipients is the primary reason that signers choose to include moreShow full document text