[openssl-dev] Signing Internet-Drafts and RFCs
Jaroslav Imrich
jaroslav.imrich at gmail.com
Thu May 12 13:58:12 UTC 2016
On 12 May 2016 at 13:44, Dr. Stephen Henson <steve at openssl.org> wrote:
> On Thu, May 12, 2016, Matt Caswell wrote:
>
> >
> >
> > On 11/05/16 22:03, Russ Housley wrote:
> > > Today, the IETF uses OpenSSL to digitally sign Internet-Drafts. If
> > > you care about the details, please see RFC 5485.
> > >
> > > We are looking to expand Internet-Draft signing, and start signing
> > > RFCs as well. Someone has suggested that we support RFC 5126, "CMS
> > > Advanced Electronic Signatures (CAdES)?. This would mean including
> > > some signed attributes that we do not currently use.
> > >
> > > A CAdES Basic Electronic Signature (CAdES-BES) must include these
> > > signed attributes:
> > >
> > > - Content-type ? I know OpenSSL supports this one. - Message-digest ?
> > > I know OpenSSL supports this one. - ESS signing-certificate-v2 ? I
> > > cannot tell if this is supported.
> > >
> > > The ESS signing-certificate-v2 attribute is defined in RFC 5035. I
> > > am interested in using it with SHA-256. Is it supported? If not,
> > > what would need to happen to get it supported?
> >
> > With the caveat that I know nothing about CAdES and haven't reviewed the
> > PR in question, you might want to look at this:
> >
> > https://github.com/openssl/openssl/pull/206
> >
> > If this PR were to be merged it would be a new feature and therefore
> > would not get incorporated until after the up-coming 1.1.0 release.
> >
>
> Note that that PR (which IMHO needs quite a bit of work before we should
> consider merging it) applies to the timestamping protocol. Something more
> suited to CMS would be better with command line support and automatic
> processing in CMS_verify et al.
>
SigningCertificate(v1) attribute is currently defined in TS module too,
thus it seems logical that people are adding SigningCertificateV2 support
there.
Similar (but IMO much better) patch adding support for SigningCertificateV2
attribute almost got merged in PR#771 -
https://github.com/openssl/openssl/pull/771
Maybe it is time to consider a freeze exception? :)
Regards, Jaroslav
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160512/234ea881/attachment-0001.html>
More information about the openssl-dev
mailing list