- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 8 Aug 2007 15:14:41 +0200
- To: Web Application Formats Working Group Issue Tracker <sysbot+tracker@w3.org>
- Cc: public-appformats@w3.org
On 2007-08-08 08:46:13 +0000, Web Application Formats Working Group Issue Tracker wrote: > ISSUE-12: Widgets: Digital signatures: XML Signature versus > PKCS#7 [Web Application Packaging] > http://www.w3.org/2005/06/tracker/waf/issues/ > Raised by: Bernardo Sampaio > On product: Web Application Packaging > See minutes from 7 August 2007 discussion: > http://www.w3.org/2007/08/08-waf-minutes.html That's actually http://www.w3.org/2007/08/07-waf-minutes.html... Skimming through these minutes, we'd want to profile either PKCS#7 or XML Signature down to a subset that gives us the functionality *really* needed. Using XML Signature, one would probably pin things down to a single canonicalization algorithm (and if you don't actually need canonicalization for the use case you are looking at, then you could even just put the identity transform in there -- it's NOT obvious that every signature needs canonicalization!), a very narrow set of crypto algorithms, a very narrow set of transforms to be permitted (probably meaning "none at all"), and so on -- thereby ditching 90% of the generality and most of the overhead that is simply not needed for the use case at hand. Note that this suggestion goes far beyond what's covered by the current widget signing proposal, in terms of constraining the use of XML Signature. Therefore, I think the performance and overhead arguments about XML Signature can be made moot by proper profiling, returning us to the XML vs. ASN.1 discussion. And on that discussion, since widgets are already using XML for configuration files, I'd +1 the use of XML Signature over going for PKCS#7. Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 8 August 2007 13:14:50 UTC