Re: ISSUE-12: Widgets: Digital signatures: XML Signature versus PKCS#7 [Web Application Packaging] from Marcos Caceres on 2007-08-16 (public-appformats@w3.org from August 2007)

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Thu, 16 Aug 2007 11:11:43 +1000
To: "Web Application Formats Working Group Issue Tracker" <sysbot+tracker@w3.org>, public-appformats@w3.org, tlr@w3.org
Cc: "Immonen Olli (Nokia-NRC/Helsinki)" <olli.immonen@nokia.com>
Message-ID: <b21a10670708151811y4838cf83lda4572463e718da8@mail.gmail.com>

Hi Thomas,

On 8/8/07, Thomas Roessler <tlr@w3.org> wrote:
>
> On 2007-08-08 08:46:13 +0000, Web Application Formats Working Group
> Issue Tracker wrote:
>
> > ISSUE-12: Widgets: Digital signatures: XML Signature versus
> > PKCS#7 [Web Application Packaging]
>
> > http://www.w3.org/2005/06/tracker/waf/issues/
>
> > Raised by: Bernardo Sampaio
> > On product: Web Application Packaging
>
> > See minutes from 7 August 2007 discussion:
> > http://www.w3.org/2007/08/08-waf-minutes.html
>
> That's actually http://www.w3.org/2007/08/07-waf-minutes.html...
>
> Skimming through these minutes, we'd want to profile either PKCS#7
> or XML Signature down to a subset that gives us the functionality
> *really* needed.
>
> Using XML Signature, one would probably pin things down to a single
> canonicalization algorithm (and if you don't actually need
> canonicalization for the use case you are looking at, then you could
> even just put the identity transform in there -- it's NOT obvious
> that every signature needs canonicalization!), a very narrow set of
> crypto algorithms, a very narrow set of transforms to be permitted
> (probably meaning "none at all"), and so on -- thereby ditching 90%
> of the generality and most of the overhead that is simply not needed
> for the use case at hand.

Yeah, this is kinda what we were thinking. Kinda like a Digital
Signatures "Lite."

> Note that this suggestion goes far beyond what's covered by the
> current widget signing proposal, in terms of constraining the use of
> XML Signature.

We tend to feel it is important, there seems to be significant
overhead with XML Signature.

> Therefore, I think the performance and overhead arguments about XML
> Signature can be made moot by proper profiling, returning us to the
> XML vs. ASN.1 discussion.

Agreed.

> And on that discussion, since widgets are already using XML for
> configuration files, I'd +1 the use of XML Signature over going for
> PKCS#7.

I'll also back this as long as it is possible to profile XML Signature
in such a way that it does not break. I'll also start looking into
this.

Kind regards,
Marcos

-- 
Marcos Caceres
http://datadriven.com.au

Received on Thursday, 16 August 2007 01:11:52 UTC