W3C home > Mailing lists > Public > w3c-xml-sig-ws@w3.org > April 1999

RE: XML interface with URIs

From: Richard D. Brown <rdbrown@GlobeSet.com>
Date: Tue, 27 Apr 1999 13:07:45 -0500
To: "'Phillip M Hallam-Baker'" <pbaker@verisign.com>, "'Bede McCall'" <bede@mitre.org>, <w3c-xml-sig-ws@w3.org>
Message-ID: <009301be90d8$da2b7790$0bc0010a@artemis.globeset.com>
Phill,

Agreed that CMS shall refer to the IETF specification. However, a large
majority of existing implementations are PKCS#7 and not CMS. So, I do not
understand the argument developed previously on the list - I thought that
support for CMS was motivated by the possibility to leverage existing
implementations!

Recall that CMS and PKCS#7 SignedData type are very similar, but there are
not compatible even if you disregard CMS added functionality.

Sincerely,

Richard D. Brown


> -----Original Message-----
> From: Phillip M Hallam-Baker [mailto:pbaker@verisign.com]
> Sent: Monday, April 26, 1999 12:02 PM
> To: rdbrown@GlobeSet.com; 'Bede McCall'; w3c-xml-sig-ws@w3.org
> Subject: RE: XML interface with URIs
>
>
> > 1 - What do people refer to by CMS? CMS as specified by PKIX or
> > PKCS#7 from
> > RSA.
>
> CMS is the IETF interpretation of PKCS#7. At this point CMS is the
> standard to reference.
>
> > 2 - CMS implementations usually require the
> certificate-chain to be either
> > refer to or pass as an argument. What is the impact on XML-DSIG
> > implementation? Other crypto-algorithms require only the
> private-key.
>
> I think as far as 'blobism' goes it is the detached signature
> blob which
> is of interest - everything within the signature envelope.
>
> PKI implementations require a certificate chain to authenticate a
> signed object, at least according to PKI as we know it. Whether the
> certificates are sent with the message, retrieved from a server
> or directory there is a need to authenticate public keys in some
> manner.
>
> I don't know of any PKI, including PGP which does not have such
> a constraint. Certainly certificate chain transport is something
> the XML spec has to address. It is not something which I would
> want to insist on CMS to achieve however. Signature blobs stripped
> of the cert chain achieve the backwards compatibility we need.
>
> > Also, we can make sure that the specification provides for
> CMS without
> > making CMS mandatory. Actually, I would certainly vote
> against such a
> > proposition.
>
> Votes? What votes?
>
>
> 		Phill
>
Received on Tuesday, 27 April 1999 14:07:32 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 11:28:04 EDT