[openssl-dev] Signing Internet-Drafts and RFCs
Dr. Stephen Henson
steve at openssl.org
Thu May 12 11:44:10 UTC 2016
On Thu, May 12, 2016, Matt Caswell wrote:
>
>
> On 11/05/16 22:03, Russ Housley wrote:
> > Today, the IETF uses OpenSSL to digitally sign Internet-Drafts. If
> > you care about the details, please see RFC 5485.
> >
> > We are looking to expand Internet-Draft signing, and start signing
> > RFCs as well. Someone has suggested that we support RFC 5126, "CMS
> > Advanced Electronic Signatures (CAdES)?. This would mean including
> > some signed attributes that we do not currently use.
> >
> > A CAdES Basic Electronic Signature (CAdES-BES) must include these
> > signed attributes:
> >
> > - Content-type ? I know OpenSSL supports this one. - Message-digest ?
> > I know OpenSSL supports this one. - ESS signing-certificate-v2 ? I
> > cannot tell if this is supported.
> >
> > The ESS signing-certificate-v2 attribute is defined in RFC 5035. I
> > am interested in using it with SHA-256. Is it supported? If not,
> > what would need to happen to get it supported?
>
> With the caveat that I know nothing about CAdES and haven't reviewed the
> PR in question, you might want to look at this:
>
> https://github.com/openssl/openssl/pull/206
>
> If this PR were to be merged it would be a new feature and therefore
> would not get incorporated until after the up-coming 1.1.0 release.
>
Note that that PR (which IMHO needs quite a bit of work before we should
consider merging it) applies to the timestamping protocol. Something more
suited to CMS would be better with command line support and automatic
processing in CMS_verify et al.
I'll look into that after 1.1.0 release.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list