W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2003

Re: QUESTION ABOUT PKCS#7 AND XMLDSIG

From: Phillip H. Griffin <phil.griffin@asn-1.com>
Date: Mon, 24 Feb 2003 07:53:20 -0500
Message-ID: <3E5A15C0.5000402@asn-1.com>
To: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Cc: DEMERJIAN <demerjia@enst.fr>, w3c-ietf-xmldsig@w3.org

I believe the Kaliski statement is essentially correct. PKCS #7 also
goes by the name CMS or Cryptographic Message Syntax, and in the
IETF by SMIME or S/MIME. If you read carefully the June 1999
thread on "Some possible rqmt/design points" and even much earlier,
you'll see that CMS processing and capability were clearly on the minds
of some designers. For example, from
lists.w3.org/Archives/Public/w3c-ietf-xmldsig/1999AprJun/0033.html

"Additional thoughts from my notes on the requirements front. Some of
these may be in between requirements and design, and aren't in a
particular order.  Also, they're in the spirit of trying to leverage
much of the CMS experience. I think attention to the validation logic
is particularly important. (By the way, I know I included the "no
criticality" point twice)"

Of course, that is not to say that xmldsig is an XML version of CMS. 
That would be
true only of the X9.96 XML CMS work going on in ANSI, or to some degree 
the use
of XML encoded CMS components in the X9.95 Trusted Time Stamp, X9.84:2003
Biometric Information Management and Security, or OASIS XCBF works.

And xmldsig provides functionality and a document view not directly 
supported in CMS,
which takes a message view of signed content. And the cryptographic 
processing and
scope of CMS take on far more than just digital signature. Two different 
things really,
and the part of CMS that would be closest to xmldsig would seem to be 
SignedData.

Phil Griffin



Christian Geuer-Pollmann wrote:

>
> Hi Jacques,
>
> from what I see, the document you cite is from July 1997. I don't know 
> what Mr. Kaliski and Mr. Kingdon want to express by saying "basis".
>
> (1) XML Signature relies on X.509 certificates for representing 
> --well-- X.509 certificates.
>
> (2) It does *not* use PKCS#7 as message syntax format.
>
> (3) If you look at <http://www.w3.org/TR/xmldsig-core/#ref-PKCS1>, it 
> cites PKCS#1 as XML Signature uses RSA, but that's all.
>
> Kind regards,
> Christian
>
> --On Montag, 24. Februar 2003 11:28 +0100 DEMERJIAN <demerjia@enst.fr> 
> wrote:
>
>> In the [Extensions and Revisions to PKCS #7 - Burton S. Kaliski Jr.,
>> Ph.D. and Kevin W. Kingdon 1 - An RSA Laboratories Technical Note - May
>> 13, 1997 - 
>> http://security.ece.orst.edu/koc/ece575/rsalabs/bulletn6.pdf ]
>> thay said that :
>>
>> { PKCS#7 has become the basis of S/MIME, SET, ....also PKCS#7 become a
>> basis for message security in systems as diverse as the W3C Digital
>> Signature Initiative, ...}.
>>
>> My question is : What they mean about basis  .
>>
>> Does xmlDSIG use pkcs#7? or xmlDSIG uses the same method (or logic) as
>> that of pkcs#7?  What is the relation between pkcs#7 and XMLDSIG?
>>
>> Thanks
>>
>> jacques
>
>
>
Received on Monday, 24 February 2003 07:57:04 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:16 GMT