Re: ISSUE-12: Widgets: Digital signatures: XML Signature versus PKCS#7 [Web Application Packaging]

On 2007-08-08 08:46:13 +0000, Web Application Formats Working Group
Issue Tracker wrote:

> ISSUE-12: Widgets: Digital signatures: XML Signature versus
> PKCS#7 [Web Application Packaging]

> http://www.w3.org/2005/06/tracker/waf/issues/

> Raised by: Bernardo Sampaio
> On product: Web Application Packaging

> See minutes from 7 August 2007 discussion:
> http://www.w3.org/2007/08/08-waf-minutes.html

That's actually http://www.w3.org/2007/08/07-waf-minutes.html...

Skimming through these minutes, we'd want to profile either PKCS#7
or XML Signature down to a subset that gives us the functionality
*really* needed.

Using XML Signature, one would probably pin things down to a single
canonicalization algorithm (and if you don't actually need
canonicalization for the use case you are looking at, then you could
even just put the identity transform in there -- it's NOT obvious
that every signature needs canonicalization!), a very narrow set of
crypto algorithms, a very narrow set of transforms to be permitted
(probably meaning "none at all"), and so on -- thereby ditching 90%
of the generality and most of the overhead that is simply not needed
for the use case at hand.

Note that this suggestion goes far beyond what's covered by the
current widget signing proposal, in terms of constraining the use of
XML Signature.

Therefore, I think the performance and overhead arguments about XML
Signature can be made moot by proper profiling, returning us to the
XML vs. ASN.1 discussion.

And on that discussion, since widgets are already using XML for
configuration files, I'd +1 the use of XML Signature over going for
PKCS#7.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Wednesday, 8 August 2007 13:14:50 UTC