- From: Tom Gindin <tgindin@us.ibm.com>
- Date: Thu, 16 May 2002 11:28:27 -0400
- To: "Ed Simon" <edsimon@xmlsec.com>
- Cc: "Roman Huditsch" <roman.huditsch@hico.com>, <w3c-ietf-xmldsig@w3.org>
Ed: IMHO, XML Signature is not "the new way of doing signatures". It's the new, and hopefully best, way of signing documents which include XML. Do you expect people to sign pure binary data using XML Signature rather than CMS? Maybe I'm confused about the standard, but I don't see a "Type" value for transparent binary data or a transform for it. Does a Reference with both Type and Transforms omitted mean binary? Tom Gindin "Ed Simon" <edsimon@xmlsec.com>@w3.org on 05/16/2002 11:03:28 AM Sent by: w3c-ietf-xmldsig-request@w3.org To: Tom Gindin/Watson/IBM@IBMUS cc: "Roman Huditsch" <roman.huditsch@hico.com>, <w3c-ietf-xmldsig@w3.org> Subject: Re: newbie Question about PKCS#7 I'm didn't say that XML Signature is necessarily a replacement for PKCS#7. What I am saying is that XML Signature is "the new way of doing digital signatures" and that if one is introducing digital signatures into a system, one should seriously consider using XML Signature over PKCS#7. Certainly, if a system is heavily ASN.1-oriented and where the subset of digital signature functionality available in PKCS#7 is deemed satisfactory for the foreseeable future, and the implementors really want to use PKCS#7, I will not object. There may indeed be cases where PKCS#7 remains preferable. But, in general (eg. not always), I think XML Signature should be initially assumed to be the best alternative until proven otherwise for application-layer security. Perhaps I am misreading your email, but are you stating you don't think XML Signature can sign binary data without adding a "binary" transform? If so, I should point out that XML Signature today can sign binary data, and that no "binary" transform is necessary. Indeed, the great thing is that a single XML Signature can cover mulitple binary objects (either referenced or enveloped (and base64-ed)). Please correct me if I'm misinterpreting any part of your email. Regards, Ed ----- Original Message ----- From: "Tom Gindin" <tgindin@us.ibm.com> To: "Ed Simon" <edsimon@xmlsec.com> Cc: "Roman Huditsch" <roman.huditsch@hico.com>; <w3c-ietf-xmldsig@w3.org> Sent: Thursday, May 16, 2002 10:16 AM Subject: Re: newbie Question about PKCS#7 > > I don't think that XML Signature is a replacement for PKCS#7/CMS. It > is an alternative which permits the signing of XML rather than of binary > with a leaning towards ASN.1. However, one possibly productive issue is > brought up by this thread. Is it reasonable to have a standard transform > of "binary" available, analogous to the existing "base64" transform? An > Reference containing an FTP URI can perfectly well point to a binary file > on the physical internet, which has not been encoded in base 64. > > Tom Gindin > > > "Ed Simon" <edsimon@xmlsec.com>@w3.org on 05/16/2002 08:23:36 AM > > Sent by: w3c-ietf-xmldsig-request@w3.org > > > To: "Roman Huditsch" <roman.huditsch@hico.com>, > <w3c-ietf-xmldsig@w3.org> > cc: > Subject: Re: newbie Question about PKCS#7 > > > I think the first question to be pondered is NOT "How?" but "Why?". > > You can of course use XML Signature to sign a PKCS#7 blob just like you can > any other blob. But I think the implication of your email is that you are > looking for some standard specified way of combining PKCS#7 and XML > Signature. There isn't any. Generally, XML Signature should be seen as > the new way of doing digital signatures. > > It may make sense to port existing PKCS#7-based applications to XML > Signature, but I doubt there would be any value trying to have a single > digital signature be a hybrid of both XML Signature and PKCS#7. > > Ed > ----- Original Message ----- > From: Roman Huditsch > To: w3c-ietf-xmldsig@w3.org > Sent: Wednesday, May 15, 2002 9:13 AM > Subject: newbie Question about PKCS#7 > > I'm very new to the topic of XML Signature and I have therefore a rather > simple question, which I couldn' solve myself by reading the spec. I > wanted to look, if this topic was already discussed in your list, but the > mailing-list archiev was down. > What I want to know is: How can I include the PKCS#7 Standard in an XML > Signature? Do I have to use the http://www.w3.org/2000/09/xmldsig#rsa-sha1 > URI? > > wbr, > Roman Huditsch > > > > >
Received on Thursday, 16 May 2002 11:29:32 UTC