| however, this signature type is optional. the -other signature types specified in this document must encapsulate other -signatures. note the domain signature could be encapsulating a null +all signature types, except the originator type, must encapsulate other +signature types specified in this document must encapsulate other +signatures. note the domain signature could be encapsulating an empty signature as defined in section 3. | |
| a signerinfo must not include multiple instances of signaturetype. a signed attribute representing a signaturetype may include multiple instances of different signaturetype values as an attributevalue of attrvalues [5], as long as the signaturetype 'additional attributes' is not present. +if there is more than one signerinfo in a signerinfos (i. when +different algorithms are used) then the signaturetype attribute in all +the signerinfos must contain the same content. | |
| + the following sections describe the conditions under which each of these types of signature may be generated, and how they are processed.2 domain signature generation and verification a domain signature' is a proxy signature generated on a user's behalf in the user's domain. the signature must adhere to the naming conventions in 3. a 'domain signature' on a message authenticates the fact that the message has originated in that domain. | |
on reception, the 'domain signature' should be used to verify the authenticity of a message. a check must be made to ensure that both the naming convention and the name mapping convention have been used as specified in this standard. -a recipient may assume that successful verification of the domain +a recipient can assume that successful verification of the domain signature also authenticates the message originator. if there is an originator signature present, the name in that certificate should be used to identify the originator. this information can then be displayed to the recipient. the smtp 'from' -field) contained within it denotes the originator of the message. - -if neither of these cases is true the only assumption that can be made -is the domain the message originated from. +if there is no originator signature present, the only assumption that can +be made is the domain the message originated from. |
|
| a domain signer can be assumed to have verified any signatures that it encapsulates. therefore, it is not necessary to verify these signatures before treating the message as authentic. however, this standard does not preclude a recipient from attempting to verify any other signatures that are present.3 additional attributes signature generation and verification the 'additional attributes' signature type indicates that the signerinfo contains additional attributes that are associated with the message. | |
successful verification of an additional
attributes' signature means only that the attributes are authentically
bound to the message. a recipient must not assume that its successful verification also authenticates the message originator. an entity generating an additional attributes' signature must do so using a certificate containing a subject name that follows the naming convention specified in 3. on reception, a check must be made to ensure that the naming convention has been used. -a signer may include any of the attributes listed in 5] or in this +a signer may include any of the attributes listed in 3] or in this document when generating an additional attributes' signature. the following attributes have a special meaning, when present in an 'additional attributes' signature: 1) equivalent label: label values in this attribute are to be treated as equivalent to the security label contained in an encapsulated signerinfo, if present. | |
| 2) security label: the label value indicates the aggregate sensitivity of the inner message content plus any encapsulated signeddata and envelopeddata containers. the label on the original data is indicated by the value in the originator's signature, if present. no other object identifiers may be included in the sequence +attribute. other object identifiers must not be included in the sequence of oids if this value is present.4 review signature generation and verification the review signature indicates that the signer has reviewed the message. successful verification of a review signature means only that the signer has approved the message for onward transmission to the recipient(s).5 originator signature the 'originator signature' is used to indicate that the signer is the originator of the message and its contents. | |
| it is included in this document for completeness only. an originator signature is indicated either by the absence of the signature type attribute, or by the presence of the value id-aa-sigtype-originator-sig in a signature type' -signed attribute. there must be only one 'originator signature' -signature present in an s/mime encoding and it must be the inner most -signature. | |
| encryption and decryption message encryption may be performed by a third party on behalf of a set of originators in a domain. this is referred to as domain encryption. message decryption may be performed by a third party on behalf of a set of recipients in a domain. this is referred to as domain decryption. the third party that performs these processes is referred to in this section as a domain confidentiality authority" (dca). both of these processes are described in this section. | |
| the process of encryption and decryption is documented in cms [5]. the only additional requirement introduced by domain encryption and decryption is for greater flexibility in the management of keys, as described in the following subsections. as with signatures, a naming convention and name mapping convention are used to locate the correct -key. the mechanisms described below are applicable both to agreement and key transport systems, as documented in [5]. the phrase 'encryption key' is as term to the key management keys used by techniques. the mechanisms below are applicable to roving users who wish to messages that back to . this is compromise of private key may in compromise the security of whole domain. | |
| therefore, great care should be when considering its protection.. .. |