First draft of pkinit plugin code now in Subversion
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Nov 29 19:12:59 EST 2006
On Monday, November 27, 2006 12:22:13 PM -0500 Olga Kornievskaia
<aglo at citi.umich.edu> wrote:
>> there seems to be no support for the supportedCMSTypes field
> that is correct as well. as it was an optional field, it's
> implementation was not high on our list.
It is "OPTIONAL" in the ASN.1 sense, which means only that it is not always
present. This field is needed in order for the client to indicate support
for algorithms other than the handful listed in RFC4556 section 3.1.4.
>> and that the use of CMS seems to hard code sha-1 rather than
>> making intelligent decisions about the appropriate hash to sign with.
>>
> pkinit rfc states (3.1.1) that signature algorithm is always
> sha1WithRSAEncryption.
No; that's not what 3.1.1 says. What it says is that all implementations
MUST implement sha-1WithRSAEncryption. However, other signature algorithms
can also be used, and an implementation which limits itself to only that
one will fail to interoperate when other algorithms are used.
-- Jeff
More information about the krbdev
mailing list