Re: XMLDSIG RSA signatures

Hi,

Here's a summary from my pov..

WTLS (Wireless TLS) and TLS both use an RSA signature that is just
CRYPT (PAD (DIGEST (data))). Which I called "raw" digest. Because
the digest algorithm is fixed, no substitution attack is possible.
PKCS#1, as we know, is CRYPT (PAD (ASN.1 (OID, DIGEST (data)))).

So, among the options under discussion.

1) B64 (C(P(D(data))))            ("raw" digest)
2) B64 (C(P(ASN1(D(data)))))      (PKCS#1 wrapped digest)
3) B64 (OID . C(P(D(data))))
4) B64 (OID . C(P(ASN1(D(data)))))

. I believe that no one desires 1) or 3).

. I desire just 2). This is secure, the ASN.1 part is supported
  by all crypto toolkits, and it places no unnecessary ASN.1
  burden on the XMLDSIG implementation.

. Some people propose 2) or 4) at the application's discretion.
  Having a choice is just bad. In my opinion.

. Other people desire that it is just 4). I disagree with this.
  If we want to use OIDs to identify crypto algorithms (which
  has its merits) then we can use Signature Algorithm URIs of
  'oid:1.2.3.4' instead of '&dsig;bar'.

Merlin

Received on Wednesday, 30 August 2000 11:09:17 UTC