- From: Sean Mullan <Sean.Mullan@Sun.COM>
- Date: Thu, 21 Aug 2008 14:42:17 -0400
- To: Scott Cantor <cantor.2@osu.edu>
- Cc: Kelvin Yiu <kelviny@exchange.microsoft.com>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Scott Cantor wrote: > Sean Mullan wrote: >> It also occured to me that many of these minimal processing and >> verification issues could be solved if the xml signature was always >> stored in a separate xml document, and somehow safely associated or >> packaged with what it is signing (like a zip file). > > I guess it's relevant to my action item, so I'll point out that if > you're going to do that, there is very little value to signing it as XML > or producing a signature that's XML. That's much easier to do with > S/MIME (or something like what we did with the alternate SAML binding). Maybe but at least for Java applications, you've already got a standard XML Signature API in all JREs. There's no standard Java S/MIME API and there may never be. Even if we end up just using the XML Signature structure as a container for the digests and signature and not much else, I think it still may be a win. --Sean
Received on Thursday, 21 August 2008 18:43:01 UTC