- From: Tom Gindin <tgindin@us.ibm.com>
- Date: Mon, 24 Feb 2003 08:09:25 -0500
- To: "Phillip H. Griffin" <phil.griffin@asn-1.com>
- Cc: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>, DEMERJIAN <demerjia@enst.fr>, w3c-ietf-xmldsig@w3.org
Phil:
While CMS is essentially a replacement for PKCS#7, S/MIME is not.
S/MIME does have a body part type (application/pkcs7-mime) which is defined
to carry PKCS#7 or CMS objects.
To the best of my recollection, there were efforts to have XMLDSIG
include the core functionality of the CMS SignedData type, and at least the
SignatureProperties type was partly motivated by this.
Tom Gindin
"Phillip H. Griffin" <phil.griffin@asn-1.com>@w3.org on 02/24/2003 07:53:20
AM
Sent by: w3c-ietf-xmldsig-request@w3.org
To: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
cc: DEMERJIAN <demerjia@enst.fr>, w3c-ietf-xmldsig@w3.org
Subject: Re: QUESTION ABOUT PKCS#7 AND XMLDSIG
I believe the Kaliski statement is essentially correct. PKCS #7 also
goes by the name CMS or Cryptographic Message Syntax, and in the
IETF by SMIME or S/MIME. If you read carefully the June 1999
thread on "Some possible rqmt/design points" and even much earlier,
you'll see that CMS processing and capability were clearly on the minds
of some designers. For example, from
lists.w3.org/Archives/Public/w3c-ietf-xmldsig/1999AprJun/0033.html
"Additional thoughts from my notes on the requirements front. Some of
these may be in between requirements and design, and aren't in a
particular order. Also, they're in the spirit of trying to leverage
much of the CMS experience. I think attention to the validation logic
is particularly important. (By the way, I know I included the "no
criticality" point twice)"
Of course, that is not to say that xmldsig is an XML version of CMS.
That would be
true only of the X9.96 XML CMS work going on in ANSI, or to some degree
the use
of XML encoded CMS components in the X9.95 Trusted Time Stamp, X9.84:2003
Biometric Information Management and Security, or OASIS XCBF works.
And xmldsig provides functionality and a document view not directly
supported in CMS,
which takes a message view of signed content. And the cryptographic
processing and
scope of CMS take on far more than just digital signature. Two different
things really,
and the part of CMS that would be closest to xmldsig would seem to be
SignedData.
Phil Griffin
Christian Geuer-Pollmann wrote:
>
> Hi Jacques,
>
> from what I see, the document you cite is from July 1997. I don't know
> what Mr. Kaliski and Mr. Kingdon want to express by saying "basis".
>
> (1) XML Signature relies on X.509 certificates for representing
> --well-- X.509 certificates.
>
> (2) It does *not* use PKCS#7 as message syntax format.
>
> (3) If you look at <http://www.w3.org/TR/xmldsig-core/#ref-PKCS1>, it
> cites PKCS#1 as XML Signature uses RSA, but that's all.
>
> Kind regards,
> Christian
>
> --On Montag, 24. Februar 2003 11:28 +0100 DEMERJIAN <demerjia@enst.fr>
> wrote:
>
>> In the [Extensions and Revisions to PKCS #7 - Burton S. Kaliski Jr.,
>> Ph.D. and Kevin W. Kingdon 1 - An RSA Laboratories Technical Note - May
>> 13, 1997 -
>> http://security.ece.orst.edu/koc/ece575/rsalabs/bulletn6.pdf ]
>> thay said that :
>>
>> { PKCS#7 has become the basis of S/MIME, SET, ....also PKCS#7 become a
>> basis for message security in systems as diverse as the W3C Digital
>> Signature Initiative, ...}.
>>
>> My question is : What they mean about basis .
>>
>> Does xmlDSIG use pkcs#7? or xmlDSIG uses the same method (or logic) as
>> that of pkcs#7? What is the relation between pkcs#7 and XMLDSIG?
>>
>> Thanks
>>
>> jacques
>
>
>
Received on Monday, 24 February 2003 08:10:22 UTC