[openssl-dev] Signing Internet-Drafts and RFCs
Matt Caswell
matt at openssl.org
Thu May 12 08:27:55 UTC 2016
On 11/05/16 22:03, Russ Housley wrote:
> Today, the IETF uses OpenSSL to digitally sign Internet-Drafts. If
> you care about the details, please see RFC 5485.
>
> We are looking to expand Internet-Draft signing, and start signing
> RFCs as well. Someone has suggested that we support RFC 5126, "CMS
> Advanced Electronic Signatures (CAdES)”. This would mean including
> some signed attributes that we do not currently use.
>
> A CAdES Basic Electronic Signature (CAdES-BES) must include these
> signed attributes:
>
> - Content-type — I know OpenSSL supports this one. - Message-digest —
> I know OpenSSL supports this one. - ESS signing-certificate-v2 — I
> cannot tell if this is supported.
>
> The ESS signing-certificate-v2 attribute is defined in RFC 5035. I
> am interested in using it with SHA-256. Is it supported? If not,
> what would need to happen to get it supported?
With the caveat that I know nothing about CAdES and haven't reviewed the
PR in question, you might want to look at this:
https://github.com/openssl/openssl/pull/206
If this PR were to be merged it would be a new feature and therefore
would not get incorporated until after the up-coming 1.1.0 release.
Matt
More information about the openssl-dev
mailing list