W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2002

Re: newbie Question about PKCS#7

From: Ed Simon <edsimon@xmlsec.com>
Date: Thu, 16 May 2002 11:03:28 -0400
Message-ID: <000a01c1fcea$d6a0be10$f2a0fea9@DJQC7111>
To: "Tom Gindin" <tgindin@us.ibm.com>
Cc: "Roman Huditsch" <roman.huditsch@hico.com>, <w3c-ietf-xmldsig@w3.org>
I'm didn't say that XML Signature is necessarily a replacement for PKCS#7.
What I am saying is that XML Signature is "the new way of doing digital
signatures" and that if one is introducing digital signatures into a system,
one should
seriously consider using XML Signature over PKCS#7.

Certainly, if a system is heavily ASN.1-oriented and where the subset of
digital signature functionality available in PKCS#7 is deemed satisfactory
for the foreseeable future, and the implementors really want to use PKCS#7,
I will not object.  There may indeed be cases where PKCS#7 remains
preferable.  But, in general (eg. not always), I think XML Signature should
be initially assumed to be the best alternative until proven otherwise for
application-layer security.

Perhaps I am misreading your email, but are you stating you don't think XML
Signature can sign binary data without adding a "binary" transform?  If so,
I should point out that XML Signature today can sign binary data, and that
no "binary" transform is necessary.  Indeed, the great thing is that a
single XML Signature can cover mulitple binary objects (either referenced or
enveloped (and base64-ed)).

Please correct me if I'm misinterpreting any part of your email.

Regards, Ed

----- Original Message -----
From: "Tom Gindin" <tgindin@us.ibm.com>
To: "Ed Simon" <edsimon@xmlsec.com>
Cc: "Roman Huditsch" <roman.huditsch@hico.com>; <w3c-ietf-xmldsig@w3.org>
Sent: Thursday, May 16, 2002 10:16 AM
Subject: Re: newbie Question about PKCS#7


>
>       I don't think that XML Signature is a replacement for PKCS#7/CMS.
It
> is an alternative which permits the signing of XML rather than of binary
> with a leaning towards ASN.1.  However, one possibly productive issue is
> brought up by this thread.  Is it reasonable to have a standard transform
> of "binary" available, analogous to the existing "base64" transform?  An
> Reference containing an FTP URI can perfectly well point to a binary file
> on the physical internet, which has not been encoded in base 64.
>
>             Tom Gindin
>
>
> "Ed Simon" <edsimon@xmlsec.com>@w3.org on 05/16/2002 08:23:36 AM
>
> Sent by:    w3c-ietf-xmldsig-request@w3.org
>
>
> To:    "Roman Huditsch" <roman.huditsch@hico.com>,
>        <w3c-ietf-xmldsig@w3.org>
> cc:
> Subject:    Re: newbie Question about PKCS#7
>
>
> I think the first question to be pondered is NOT "How?" but "Why?".
>
> You can of course use XML Signature to sign a PKCS#7 blob just like you
can
> any other blob.  But I think the implication of your email is that you are
> looking for some standard specified way of combining PKCS#7 and XML
> Signature.  There isn't any.  Generally, XML Signature should be seen as
> the new way of doing digital signatures.
>
> It may make sense to port existing PKCS#7-based applications to XML
> Signature, but I doubt there would be any value trying to have a single
> digital signature be a hybrid of both XML Signature and PKCS#7.
>
> Ed
>  ----- Original Message -----
>  From: Roman Huditsch
>  To: w3c-ietf-xmldsig@w3.org
>  Sent: Wednesday, May 15, 2002 9:13 AM
>  Subject: newbie Question about PKCS#7
>
>  I'm very new to the topic of XML Signature and I have therefore a rather
>  simple question, which I couldn' solve myself by reading the spec. I
>  wanted to look, if this topic was already discussed in your list, but the
>  mailing-list archiev was down.
>  What I want to know is: How can I include the PKCS#7 Standard in an XML
>  Signature? Do I have to use the
http://www.w3.org/2000/09/xmldsig#rsa-sha1
>  URI?
>
>  wbr,
>  Roman Huditsch
>
>
>
>
>
Received on Thursday, 16 May 2002 11:02:01 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:15 GMT