Ilari Liusvaara <[email protected]> wrote: > To me there seems to be multiple problems:
> - As certificate used can affect interpretation, not just validity
> (especially so for signatures), the sender needs to bind the
> certificate used. This impiles x5t, x5bag and x5chain need to go into
> protected bucket.
I don't understand.
The certificates are signed. They carry their own validity.
If an attacker can substitute a different set of certificates that lead to a
valid signature then we have a bigger problem.
Putting them into the protected bucket means that they can not be removed if
a transmitter or entity storing them knows that the validator already has them.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
