W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2002

Re: newbie Question about PKCS#7

From: Tom Gindin <tgindin@us.ibm.com>
Date: Thu, 16 May 2002 11:28:27 -0400
To: "Ed Simon" <edsimon@xmlsec.com>
Cc: "Roman Huditsch" <roman.huditsch@hico.com>, <w3c-ietf-xmldsig@w3.org>
Message-ID: <OF40FE7A5E.0DE786C8-ON85256BBB.00537300@pok.ibm.com>


      IMHO, XML Signature is not "the new way of doing signatures".  It's
the new, and hopefully best, way of signing documents which include XML.
Do you expect people to sign pure binary data using XML Signature rather
than CMS?
      Maybe I'm confused about the standard, but I don't see a "Type" value
for transparent binary data or a transform for it.  Does a Reference with
both Type and Transforms omitted mean binary?

            Tom Gindin

"Ed Simon" <edsimon@xmlsec.com>@w3.org on 05/16/2002 11:03:28 AM

Sent by:    w3c-ietf-xmldsig-request@w3.org

To:    Tom Gindin/Watson/IBM@IBMUS
cc:    "Roman Huditsch" <roman.huditsch@hico.com>,
Subject:    Re: newbie Question about PKCS#7

I'm didn't say that XML Signature is necessarily a replacement for PKCS#7.
What I am saying is that XML Signature is "the new way of doing digital
signatures" and that if one is introducing digital signatures into a
one should
seriously consider using XML Signature over PKCS#7.

Certainly, if a system is heavily ASN.1-oriented and where the subset of
digital signature functionality available in PKCS#7 is deemed satisfactory
for the foreseeable future, and the implementors really want to use PKCS#7,
I will not object.  There may indeed be cases where PKCS#7 remains
preferable.  But, in general (eg. not always), I think XML Signature should
be initially assumed to be the best alternative until proven otherwise for
application-layer security.

Perhaps I am misreading your email, but are you stating you don't think XML
Signature can sign binary data without adding a "binary" transform?  If so,
I should point out that XML Signature today can sign binary data, and that
no "binary" transform is necessary.  Indeed, the great thing is that a
single XML Signature can cover mulitple binary objects (either referenced
enveloped (and base64-ed)).

Please correct me if I'm misinterpreting any part of your email.

Regards, Ed

----- Original Message -----
From: "Tom Gindin" <tgindin@us.ibm.com>
To: "Ed Simon" <edsimon@xmlsec.com>
Cc: "Roman Huditsch" <roman.huditsch@hico.com>; <w3c-ietf-xmldsig@w3.org>
Sent: Thursday, May 16, 2002 10:16 AM
Subject: Re: newbie Question about PKCS#7

>       I don't think that XML Signature is a replacement for PKCS#7/CMS.
> is an alternative which permits the signing of XML rather than of binary
> with a leaning towards ASN.1.  However, one possibly productive issue is
> brought up by this thread.  Is it reasonable to have a standard transform
> of "binary" available, analogous to the existing "base64" transform?  An
> Reference containing an FTP URI can perfectly well point to a binary file
> on the physical internet, which has not been encoded in base 64.
>             Tom Gindin
> "Ed Simon" <edsimon@xmlsec.com>@w3.org on 05/16/2002 08:23:36 AM
> Sent by:    w3c-ietf-xmldsig-request@w3.org
> To:    "Roman Huditsch" <roman.huditsch@hico.com>,
>        <w3c-ietf-xmldsig@w3.org>
> cc:
> Subject:    Re: newbie Question about PKCS#7
> I think the first question to be pondered is NOT "How?" but "Why?".
> You can of course use XML Signature to sign a PKCS#7 blob just like you
> any other blob.  But I think the implication of your email is that you
> looking for some standard specified way of combining PKCS#7 and XML
> Signature.  There isn't any.  Generally, XML Signature should be seen as
> the new way of doing digital signatures.
> It may make sense to port existing PKCS#7-based applications to XML
> Signature, but I doubt there would be any value trying to have a single
> digital signature be a hybrid of both XML Signature and PKCS#7.
> Ed
>  ----- Original Message -----
>  From: Roman Huditsch
>  To: w3c-ietf-xmldsig@w3.org
>  Sent: Wednesday, May 15, 2002 9:13 AM
>  Subject: newbie Question about PKCS#7
>  I'm very new to the topic of XML Signature and I have therefore a rather
>  simple question, which I couldn' solve myself by reading the spec. I
>  wanted to look, if this topic was already discussed in your list, but
>  mailing-list archiev was down.
>  What I want to know is: How can I include the PKCS#7 Standard in an XML
>  Signature? Do I have to use the
>  URI?
>  wbr,
>  Roman Huditsch
Received on Thursday, 16 May 2002 11:29:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:37 UTC