Re: newbie Question about PKCS#7

From the XML Signature specification:
"XML Signatures provide integrity, message authentication, and/or signer
authentication services for data of any type, whether located within the XML
that includes the signature or elsewhere. "

Note that it is "data of any type".  YES!  I expect XML Signatures to be
used to sign binary data.

Indeed, with transforms one can sign all sorts of data.  Recently, someone
said to me that they would love to use XML Signature but much of their data
was in relational databases and the XML model didn't work for them.  Let me
be clear: XML Signature is not just for XML data; XML Signature is a
powerful new way of signing all sorts of data.  In fact, in the relational
database scenario, XML Signature could let you sign whatever you can query
and marshal into something that can be hashed.  You don't even have to
change the database entries, just provide a way to invoke a signature
validation at the required times.

It's called "XML Signature" NOT because it's only for signing XML, but
because its a digital signature encoded in XML.  It so happens that XML
Signature is just dandy for signing XML, but it also happens to be just
dandy for signing all sorts of things.

Regards, Ed

----- Original Message -----
From: "Tom Gindin" <tgindin@us.ibm.com>
To: "Ed Simon" <edsimon@xmlsec.com>
Cc: "Roman Huditsch" <roman.huditsch@hico.com>; <w3c-ietf-xmldsig@w3.org>
Sent: Thursday, May 16, 2002 11:28 AM
Subject: Re: newbie Question about PKCS#7


>
>       Ed:
>
>       IMHO, XML Signature is not "the new way of doing signatures".  It's
> the new, and hopefully best, way of signing documents which include XML.
> Do you expect people to sign pure binary data using XML Signature rather
> than CMS?
>       Maybe I'm confused about the standard, but I don't see a "Type"
value
> for transparent binary data or a transform for it.  Does a Reference with
> both Type and Transforms omitted mean binary?
>
>             Tom Gindin
>
> "Ed Simon" <edsimon@xmlsec.com>@w3.org on 05/16/2002 11:03:28 AM
>
> Sent by:    w3c-ietf-xmldsig-request@w3.org
>
>
> To:    Tom Gindin/Watson/IBM@IBMUS
> cc:    "Roman Huditsch" <roman.huditsch@hico.com>,
>        <w3c-ietf-xmldsig@w3.org>
> Subject:    Re: newbie Question about PKCS#7
>
>
> I'm didn't say that XML Signature is necessarily a replacement for PKCS#7.
> What I am saying is that XML Signature is "the new way of doing digital
> signatures" and that if one is introducing digital signatures into a
> system,
> one should
> seriously consider using XML Signature over PKCS#7.
>
> Certainly, if a system is heavily ASN.1-oriented and where the subset of
> digital signature functionality available in PKCS#7 is deemed satisfactory
> for the foreseeable future, and the implementors really want to use
PKCS#7,
> I will not object.  There may indeed be cases where PKCS#7 remains
> preferable.  But, in general (eg. not always), I think XML Signature
should
> be initially assumed to be the best alternative until proven otherwise for
> application-layer security.
>
> Perhaps I am misreading your email, but are you stating you don't think
XML
> Signature can sign binary data without adding a "binary" transform?  If
so,
> I should point out that XML Signature today can sign binary data, and that
> no "binary" transform is necessary.  Indeed, the great thing is that a
> single XML Signature can cover mulitple binary objects (either referenced
> or
> enveloped (and base64-ed)).
>
> Please correct me if I'm misinterpreting any part of your email.
>
> Regards, Ed
>
> ----- Original Message -----
> From: "Tom Gindin" <tgindin@us.ibm.com>
> To: "Ed Simon" <edsimon@xmlsec.com>
> Cc: "Roman Huditsch" <roman.huditsch@hico.com>; <w3c-ietf-xmldsig@w3.org>
> Sent: Thursday, May 16, 2002 10:16 AM
> Subject: Re: newbie Question about PKCS#7
>
>
> >
> >       I don't think that XML Signature is a replacement for PKCS#7/CMS.
> It
> > is an alternative which permits the signing of XML rather than of binary
> > with a leaning towards ASN.1.  However, one possibly productive issue is
> > brought up by this thread.  Is it reasonable to have a standard
transform
> > of "binary" available, analogous to the existing "base64" transform?  An
> > Reference containing an FTP URI can perfectly well point to a binary
file
> > on the physical internet, which has not been encoded in base 64.
> >
> >             Tom Gindin
> >
> >
> > "Ed Simon" <edsimon@xmlsec.com>@w3.org on 05/16/2002 08:23:36 AM
> >
> > Sent by:    w3c-ietf-xmldsig-request@w3.org
> >
> >
> > To:    "Roman Huditsch" <roman.huditsch@hico.com>,
> >        <w3c-ietf-xmldsig@w3.org>
> > cc:
> > Subject:    Re: newbie Question about PKCS#7
> >
> >
> > I think the first question to be pondered is NOT "How?" but "Why?".
> >
> > You can of course use XML Signature to sign a PKCS#7 blob just like you
> can
> > any other blob.  But I think the implication of your email is that you
> are
> > looking for some standard specified way of combining PKCS#7 and XML
> > Signature.  There isn't any.  Generally, XML Signature should be seen as
> > the new way of doing digital signatures.
> >
> > It may make sense to port existing PKCS#7-based applications to XML
> > Signature, but I doubt there would be any value trying to have a single
> > digital signature be a hybrid of both XML Signature and PKCS#7.
> >
> > Ed
> >  ----- Original Message -----
> >  From: Roman Huditsch
> >  To: w3c-ietf-xmldsig@w3.org
> >  Sent: Wednesday, May 15, 2002 9:13 AM
> >  Subject: newbie Question about PKCS#7
> >
> >  I'm very new to the topic of XML Signature and I have therefore a
rather
> >  simple question, which I couldn' solve myself by reading the spec. I
> >  wanted to look, if this topic was already discussed in your list, but
> the
> >  mailing-list archiev was down.
> >  What I want to know is: How can I include the PKCS#7 Standard in an XML
> >  Signature? Do I have to use the
> http://www.w3.org/2000/09/xmldsig#rsa-sha1
> >  URI?
> >
> >  wbr,
> >  Roman Huditsch
> >
> >
> >
> >
> >
>
>
>
>
>
>
>

Received on Thursday, 16 May 2002 11:59:46 UTC