Re: Signatures draft from tgindin@us.ibm.com on 2000-02-15 (w3c-ietf-xmldsig@w3.org from January to March 2000)

From: <tgindin@us.ibm.com>
Date: Tue, 15 Feb 2000 10:08:17 -0500
To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
cc: "Joseph M. Reagle Jr." <reagle@w3.org>, "John Messing" <jmessing@law-on-line.com>, "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Message-ID: <85256886.0053731B.00@D51MTA07.pok.ibm.com>

"Donald E. Eastlake 3rd" <dee3@torque.pothole.com> on 02/15/2000 08:15:47
AM

To:   Tom Gindin/Watson/IBM@IBMUS
cc:   "Joseph M. Reagle Jr." <reagle@w3.org>, "John Messing"
      <jmessing@law-on-line.com>, "IETF/W3C XML-DSig WG"
      <w3c-ietf-xmldsig@w3.org>
Subject:  Re: Signatures draft




I believe that a comparison of CMS/PKCS#7 and XMLDSIG Signature
capabilities would be very useful, although perhaps it should be a
separate document.

An example of s SignatureProperty is also useful, but I believe we
have one in an example in the current documentation.

[Tom Gindin]   Where?  I don't see any such example in the current core
document.  There are schema and DTD definitions for SignatureProperty, but
the only example seems to be section 10, which does not use
SignatureProperty (nor Object nor Manifest, for that matter).

An example showing ASN.1 would, in my opinion, detract from the
current syntax document if put there by adding needless complexity
that most readers would not understand.

[Tom Gindin]   An example with ASN.1 would only be appropriate for a
comparison of CMS/PKCS#7 with XMLDSIG.

Donald

From:  tgindin@us.ibm.com
Resent-Date:  Mon, 14 Feb 2000 18:23:02 -0500 (EST)
Resent-Message-Id:  <200002142323.SAA18189@www19.w3.org>
To:  "Joseph M. Reagle Jr." <reagle@w3.org>
cc:  "John Messing" <jmessing@law-on-line.com>,
            "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Message-ID:  <85256885.00806D85.00@D51MTA07.pok.ibm.com>
Date:  Mon, 14 Feb 2000 18:19:35 -0500

>     There is one wording error in section 5.2 - i.e. should be e.g. (for
>example rather than that is).  In the minutes of the IETF 46 meeting, this
>same issue came up as "what is equivalent to PKCS-7 Authenticated
>Attributes in the syntax".  It was suggested that an example of this
should
>be included (presumably in the syntax draft), and none has been yet.
>     Since I was the one who suggested an example (passport check), here
is
>the ASN.1 for the CMS or PKCS-7 equivalent, neglecting DER sorting and
>similar issues, and using a hybrid value notation to avoid separate
>definitions for the types and data here:
>
>     AuthenticatedAttributes ::= SET { PassportNumber, ChecksMade }
>
>     PassportNumber ::= SEQUENCE {
>          tempOID   OBJECT IDENTIFIER { 0 3 8232 4127 20000214 1 },
>          value          SET  {
>               val1 SEQUENCE {
>                    country        PrintableString "US",
>                    idnumber  UTF8String "555"
>               }
>          }
>
>     ChecksMade          ::= SEQUENCE {
>          tempOID2  OBJECT IDENTIFIER { 0 3 8232 4127 20000214 2 },
>          value2         SET  {
>               chks BIT STRING { picture(0) TRUE, gender(1) TRUE,
>approxAge(2) TRUE, eyeColor(3) FALSE }
>
>               }
>          }
>
>     I hope the notation is fairly clear.  The OID root is mine
personally,
>if anybody is curious.  I think that we should have an XML equivalent in
>the draft showing what a SignatureProperty element representing at least
>one of these assertions would look like.
>
>          Tom Gindin

Received on Tuesday, 15 February 2000 10:11:50 UTC