--=-=-=


"Simon J. Gerraty" <sjg@crufty.net> writes:

>>In my work, I have used the "openssl smime *" commands, rather than
>>working with the keys and formats quite so directly.  There are
>>several other reasons for this, but the major one is that it handles
>>all of the container cert chain and encoding issues you discuss for
>>you.  It's been appropriate for my needs so far, but might be less
>>directly applicable for this discussion (more below).
>
> Yes, smime was one option that we considered, but it seemed to be very
> particular about the format of its input and the resulting signatures
> end up being very bulky.  Of course I may have just been using it
> wrong - at first blush it sounded good.

The stuff SMIME uses, CMS (RFC3369) (used to PKCS#7) is not really bulky if
if you don't include certifictes inside the data, and you can get it even
less bulky if you use the right SignerIdentifier.


$ openssl smime -sign -noattr -nochain -nocerts [...]
$ ls -l nbsvtool.c.sig 
-rw-r--r--  1 lha  wheel  457 May 14 13:56 nbsvtool.c.sig
$ openssl smime -sign -noattr [....]
$ ls -l nbsvtool.c.sig 
-rw-r--r--  1 lha  wheel  7355 May 14 13:57 nbsvtool.c.sig

But then, I think we should include certifictes, it makes the sigature
free-standing.

Love

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iQEVAwUAQKS0knW+NPVfDpmCAQIdJgf7Bd7wmL5naecTXdXNMAEfNVm728lFbVEr
1PIf0rqqHCCxv6PXhgyePVEZ/K1K8/V95O+h9tDBUuqfC/2I6cs7QVxDS8cWr+9s
iiH4tf7QxxUYVj8qmQBUrwUliWyHmt3Uer5IdVQhvJbTtgqlpp22QpOOUs3m0Xki
+qx+9BsQi4c+napDPKMy2vLw+8MbPwL4fVb0oNXfx2JRms3OVlaTCPPZF7btrmRG
HZ/Z9Q20crfc3UZHULrerRDCPPB/s+wuukPxLt23Hz9P5U6lTUxYkLPD0RMIzN0+
beLXlTYhQw5PS2xDnZHXsSO5zubpW6MiWI2u2f4b+xkBCXSOUseI2Q==
=8Q5h
-----END PGP SIGNATURE-----
--=-=-=--