- From: Ed Simon <edsimon@xmlsec.com>
- Date: Thu, 16 May 2002 11:03:28 -0400
- To: "Tom Gindin" <tgindin@us.ibm.com>
- Cc: "Roman Huditsch" <roman.huditsch@hico.com>, <w3c-ietf-xmldsig@w3.org>
I'm didn't say that XML Signature is necessarily a replacement for PKCS#7. What I am saying is that XML Signature is "the new way of doing digital signatures" and that if one is introducing digital signatures into a system, one should seriously consider using XML Signature over PKCS#7. Certainly, if a system is heavily ASN.1-oriented and where the subset of digital signature functionality available in PKCS#7 is deemed satisfactory for the foreseeable future, and the implementors really want to use PKCS#7, I will not object. There may indeed be cases where PKCS#7 remains preferable. But, in general (eg. not always), I think XML Signature should be initially assumed to be the best alternative until proven otherwise for application-layer security. Perhaps I am misreading your email, but are you stating you don't think XML Signature can sign binary data without adding a "binary" transform? If so, I should point out that XML Signature today can sign binary data, and that no "binary" transform is necessary. Indeed, the great thing is that a single XML Signature can cover mulitple binary objects (either referenced or enveloped (and base64-ed)). Please correct me if I'm misinterpreting any part of your email. Regards, Ed ----- Original Message ----- From: "Tom Gindin" <tgindin@us.ibm.com> To: "Ed Simon" <edsimon@xmlsec.com> Cc: "Roman Huditsch" <roman.huditsch@hico.com>; <w3c-ietf-xmldsig@w3.org> Sent: Thursday, May 16, 2002 10:16 AM Subject: Re: newbie Question about PKCS#7 > > I don't think that XML Signature is a replacement for PKCS#7/CMS. It > is an alternative which permits the signing of XML rather than of binary > with a leaning towards ASN.1. However, one possibly productive issue is > brought up by this thread. Is it reasonable to have a standard transform > of "binary" available, analogous to the existing "base64" transform? An > Reference containing an FTP URI can perfectly well point to a binary file > on the physical internet, which has not been encoded in base 64. > > Tom Gindin > > > "Ed Simon" <edsimon@xmlsec.com>@w3.org on 05/16/2002 08:23:36 AM > > Sent by: w3c-ietf-xmldsig-request@w3.org > > > To: "Roman Huditsch" <roman.huditsch@hico.com>, > <w3c-ietf-xmldsig@w3.org> > cc: > Subject: Re: newbie Question about PKCS#7 > > > I think the first question to be pondered is NOT "How?" but "Why?". > > You can of course use XML Signature to sign a PKCS#7 blob just like you can > any other blob. But I think the implication of your email is that you are > looking for some standard specified way of combining PKCS#7 and XML > Signature. There isn't any. Generally, XML Signature should be seen as > the new way of doing digital signatures. > > It may make sense to port existing PKCS#7-based applications to XML > Signature, but I doubt there would be any value trying to have a single > digital signature be a hybrid of both XML Signature and PKCS#7. > > Ed > ----- Original Message ----- > From: Roman Huditsch > To: w3c-ietf-xmldsig@w3.org > Sent: Wednesday, May 15, 2002 9:13 AM > Subject: newbie Question about PKCS#7 > > I'm very new to the topic of XML Signature and I have therefore a rather > simple question, which I couldn' solve myself by reading the spec. I > wanted to look, if this topic was already discussed in your list, but the > mailing-list archiev was down. > What I want to know is: How can I include the PKCS#7 Standard in an XML > Signature? Do I have to use the http://www.w3.org/2000/09/xmldsig#rsa-sha1 > URI? > > wbr, > Roman Huditsch > > > > >
Received on Thursday, 16 May 2002 11:02:01 UTC