W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2002

RE: newbie Question about PKCS#7

From: Manoj K. Srivastava <manoj@infomosaic.com>
Date: Thu, 16 May 2002 13:29:49 -0700
To: "'Tom Gindin'" <tgindin@us.ibm.com>, "'Ed Simon'" <edsimon@xmlsec.com>
Cc: "'Roman Huditsch'" <roman.huditsch@hico.com>, <w3c-ietf-xmldsig@w3.org>
Message-ID: <001701c1fd18$6fb6add0$0a00a8c0@infomosaic.net>
Hi Tom,

Please try signing a binary file using the Infomosaic SecureXML online
signature application. 
We use a base64 transformed version of the file when creating an
enveloped signature. This transform is part of the data in the signed
info section so one can get the original data back by doing a base64
decode. You can see how we fetch the original file back when you do the
verification. For a detached signature we simply calculate the digest on
the binary data with no transformation. One can obviously provide a
transformation here as well.

Manoj

-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Tom Gindin
Sent: Thursday, May 16, 2002 8:28 AM
To: Ed Simon
Cc: Roman Huditsch; w3c-ietf-xmldsig@w3.org
Subject: Re: newbie Question about PKCS#7



      Ed:

      IMHO, XML Signature is not "the new way of doing signatures".
It's the new, and hopefully best, way of signing documents which include
XML. Do you expect people to sign pure binary data using XML Signature
rather than CMS?
      Maybe I'm confused about the standard, but I don't see a "Type"
value for transparent binary data or a transform for it.  Does a
Reference with both Type and Transforms omitted mean binary?

            Tom Gindin

"Ed Simon" <edsimon@xmlsec.com>@w3.org on 05/16/2002 11:03:28 AM

Sent by:    w3c-ietf-xmldsig-request@w3.org


To:    Tom Gindin/Watson/IBM@IBMUS
cc:    "Roman Huditsch" <roman.huditsch@hico.com>,
       <w3c-ietf-xmldsig@w3.org>
Subject:    Re: newbie Question about PKCS#7


I'm didn't say that XML Signature is necessarily a replacement for
PKCS#7. What I am saying is that XML Signature is "the new way of doing
digital signatures" and that if one is introducing digital signatures
into a system, one should seriously consider using XML Signature over
PKCS#7.

Certainly, if a system is heavily ASN.1-oriented and where the subset of
digital signature functionality available in PKCS#7 is deemed
satisfactory for the foreseeable future, and the implementors really
want to use PKCS#7, I will not object.  There may indeed be cases where
PKCS#7 remains preferable.  But, in general (eg. not always), I think
XML Signature should be initially assumed to be the best alternative
until proven otherwise for application-layer security.

Perhaps I am misreading your email, but are you stating you don't think
XML Signature can sign binary data without adding a "binary" transform?
If so, I should point out that XML Signature today can sign binary data,
and that no "binary" transform is necessary.  Indeed, the great thing is
that a single XML Signature can cover mulitple binary objects (either
referenced or enveloped (and base64-ed)).

Please correct me if I'm misinterpreting any part of your email.

Regards, Ed

----- Original Message -----
From: "Tom Gindin" <tgindin@us.ibm.com>
To: "Ed Simon" <edsimon@xmlsec.com>
Cc: "Roman Huditsch" <roman.huditsch@hico.com>;
<w3c-ietf-xmldsig@w3.org>
Sent: Thursday, May 16, 2002 10:16 AM
Subject: Re: newbie Question about PKCS#7


>
>       I don't think that XML Signature is a replacement for 
> PKCS#7/CMS.
It
> is an alternative which permits the signing of XML rather than of 
> binary with a leaning towards ASN.1.  However, one possibly productive

> issue is brought up by this thread.  Is it reasonable to have a 
> standard transform of "binary" available, analogous to the existing 
> "base64" transform?  An Reference containing an FTP URI can perfectly 
> well point to a binary file on the physical internet, which has not 
> been encoded in base 64.
>
>             Tom Gindin
>
>
> "Ed Simon" <edsimon@xmlsec.com>@w3.org on 05/16/2002 08:23:36 AM
>
> Sent by:    w3c-ietf-xmldsig-request@w3.org
>
>
> To:    "Roman Huditsch" <roman.huditsch@hico.com>,
>        <w3c-ietf-xmldsig@w3.org>
> cc:
> Subject:    Re: newbie Question about PKCS#7
>
>
> I think the first question to be pondered is NOT "How?" but "Why?".
>
> You can of course use XML Signature to sign a PKCS#7 blob just like 
> you
can
> any other blob.  But I think the implication of your email is that you
are
> looking for some standard specified way of combining PKCS#7 and XML 
> Signature.  There isn't any.  Generally, XML Signature should be seen 
> as the new way of doing digital signatures.
>
> It may make sense to port existing PKCS#7-based applications to XML 
> Signature, but I doubt there would be any value trying to have a 
> single digital signature be a hybrid of both XML Signature and PKCS#7.
>
> Ed
>  ----- Original Message -----
>  From: Roman Huditsch
>  To: w3c-ietf-xmldsig@w3.org
>  Sent: Wednesday, May 15, 2002 9:13 AM
>  Subject: newbie Question about PKCS#7
>
>  I'm very new to the topic of XML Signature and I have therefore a 
> rather  simple question, which I couldn' solve myself by reading the 
> spec. I  wanted to look, if this topic was already discussed in your 
> list, but
the
>  mailing-list archiev was down.
>  What I want to know is: How can I include the PKCS#7 Standard in an 
> XML  Signature? Do I have to use the
http://www.w3.org/2000/09/xmldsig#rsa-sha1
>  URI?
>
>  wbr,
>  Roman Huditsch
>
>
>
>
>
Received on Thursday, 16 May 2002 16:32:03 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:15 GMT