- From: Tom Gindin <tgindin@us.ibm.com>
- Date: Mon, 24 Feb 2003 08:09:25 -0500
- To: "Phillip H. Griffin" <phil.griffin@asn-1.com>
- Cc: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>, DEMERJIAN <demerjia@enst.fr>, w3c-ietf-xmldsig@w3.org
Phil: While CMS is essentially a replacement for PKCS#7, S/MIME is not. S/MIME does have a body part type (application/pkcs7-mime) which is defined to carry PKCS#7 or CMS objects. To the best of my recollection, there were efforts to have XMLDSIG include the core functionality of the CMS SignedData type, and at least the SignatureProperties type was partly motivated by this. Tom Gindin "Phillip H. Griffin" <phil.griffin@asn-1.com>@w3.org on 02/24/2003 07:53:20 AM Sent by: w3c-ietf-xmldsig-request@w3.org To: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de> cc: DEMERJIAN <demerjia@enst.fr>, w3c-ietf-xmldsig@w3.org Subject: Re: QUESTION ABOUT PKCS#7 AND XMLDSIG I believe the Kaliski statement is essentially correct. PKCS #7 also goes by the name CMS or Cryptographic Message Syntax, and in the IETF by SMIME or S/MIME. If you read carefully the June 1999 thread on "Some possible rqmt/design points" and even much earlier, you'll see that CMS processing and capability were clearly on the minds of some designers. For example, from lists.w3.org/Archives/Public/w3c-ietf-xmldsig/1999AprJun/0033.html "Additional thoughts from my notes on the requirements front. Some of these may be in between requirements and design, and aren't in a particular order. Also, they're in the spirit of trying to leverage much of the CMS experience. I think attention to the validation logic is particularly important. (By the way, I know I included the "no criticality" point twice)" Of course, that is not to say that xmldsig is an XML version of CMS. That would be true only of the X9.96 XML CMS work going on in ANSI, or to some degree the use of XML encoded CMS components in the X9.95 Trusted Time Stamp, X9.84:2003 Biometric Information Management and Security, or OASIS XCBF works. And xmldsig provides functionality and a document view not directly supported in CMS, which takes a message view of signed content. And the cryptographic processing and scope of CMS take on far more than just digital signature. Two different things really, and the part of CMS that would be closest to xmldsig would seem to be SignedData. Phil Griffin Christian Geuer-Pollmann wrote: > > Hi Jacques, > > from what I see, the document you cite is from July 1997. I don't know > what Mr. Kaliski and Mr. Kingdon want to express by saying "basis". > > (1) XML Signature relies on X.509 certificates for representing > --well-- X.509 certificates. > > (2) It does *not* use PKCS#7 as message syntax format. > > (3) If you look at <http://www.w3.org/TR/xmldsig-core/#ref-PKCS1>, it > cites PKCS#1 as XML Signature uses RSA, but that's all. > > Kind regards, > Christian > > --On Montag, 24. Februar 2003 11:28 +0100 DEMERJIAN <demerjia@enst.fr> > wrote: > >> In the [Extensions and Revisions to PKCS #7 - Burton S. Kaliski Jr., >> Ph.D. and Kevin W. Kingdon 1 - An RSA Laboratories Technical Note - May >> 13, 1997 - >> http://security.ece.orst.edu/koc/ece575/rsalabs/bulletn6.pdf ] >> thay said that : >> >> { PKCS#7 has become the basis of S/MIME, SET, ....also PKCS#7 become a >> basis for message security in systems as diverse as the W3C Digital >> Signature Initiative, ...}. >> >> My question is : What they mean about basis . >> >> Does xmlDSIG use pkcs#7? or xmlDSIG uses the same method (or logic) as >> that of pkcs#7? What is the relation between pkcs#7 and XMLDSIG? >> >> Thanks >> >> jacques > > >
Received on Monday, 24 February 2003 08:10:22 UTC