RE: XMLDSIG RSA signatures

I agree thatthe only viable choices are 2 and 4.

I would prefer that we picked one format as well, since it is difficult
to make use of the OID unless you know it is going to be there.

I still prefer 4, although the OID idea is not such a bad one - did the
proposal ever get anywhere? It has been made many times in the past and
even appeared in the pre-IETF Web specs (briefly).

	Phill

> -----Original Message-----
> From: merlin [mailto:merlin@baltimore.ie]
> Sent: Wednesday, August 30, 2000 11:09 AM
> To: w3c-ietf-xmldsig@w3.org
> Subject: Re: XMLDSIG RSA signatures
> 
> 
> 
> Hi,
> 
> Here's a summary from my pov..
> 
> WTLS (Wireless TLS) and TLS both use an RSA signature that is just
> CRYPT (PAD (DIGEST (data))). Which I called "raw" digest. Because
> the digest algorithm is fixed, no substitution attack is possible.
> PKCS#1, as we know, is CRYPT (PAD (ASN.1 (OID, DIGEST (data)))).
> 
> So, among the options under discussion.
> 
> 1) B64 (C(P(D(data))))            ("raw" digest)
> 2) B64 (C(P(ASN1(D(data)))))      (PKCS#1 wrapped digest)
> 3) B64 (OID . C(P(D(data))))
> 4) B64 (OID . C(P(ASN1(D(data)))))
> 
> . I believe that no one desires 1) or 3).
> 
> . I desire just 2). This is secure, the ASN.1 part is supported
>   by all crypto toolkits, and it places no unnecessary ASN.1
>   burden on the XMLDSIG implementation.
> 
> . Some people propose 2) or 4) at the application's discretion.
>   Having a choice is just bad. In my opinion.
> 
> . Other people desire that it is just 4). I disagree with this.
>   If we want to use OIDs to identify crypto algorithms (which
>   has its merits) then we can use Signature Algorithm URIs of
>   'oid:1.2.3.4' instead of '&dsig;bar'.
> 
> Merlin
>