Re: RFC; new SignatureAlgorithm for web browser interop from Anders Rundgren on 2006-03-29 (w3c-ietf-xmldsig@w3.org from January to March 2006)

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Wed, 29 Mar 2006 22:22:38 +0200
To: "Mikolaj Habryn" <dichro@rcpt.to>, <w3c-ietf-xmldsig@w3.org>
Message-ID: <00c901c6536e$8678ced0$82c5a8c0@arport2v>

Mikolaj,
I tried it but got an internal error.  Maybe the certificate issued by "SuckerTrust"
for a user with the e-mail address boss@fire.hell was the culprit. :-)

Anyway, there are other issues that I find more disturbing than the
lack of native XML DSig signatures and that is the limited functionality
of "signText ()" itself.   That signText is not supported by the browser
used by more than 80% of all users does not make things better.
Apart from that, I have no objections to the conversion scheme,
akthough I would like to see some more documentation if possible.

So far as I can see this year (2006) will be the year when at least three (!)
competing "web sign" standardization efforts will be raised;  OASIS,
EU/CEN, and my own not yet affiliated WASP mojo.  The latter will
be launched next week at the NIST PKI Workshop.

I guess W3C will launch something in this direction as well...

Anders R


----- Original Message ----- 
From: "Mikolaj Habryn" <dichro@rcpt.to>
To: <w3c-ietf-xmldsig@w3.org>
Sent: Wednesday, March 29, 2006 16:25
Subject: RFC; new SignatureAlgorithm for web browser interop



I decided recently to take a tilt at the windmill of making an xmldsig
application somewhat more approachable by driving it entirely from a web
browser.

The signing support in browsers at the moment (javascript
crypto.signText method) generates a PKCS7 signature which contains all
the usual data, but isn't directly morphable into a ds:Signature block
due to the signature being over an ASN.1 block instead of a
ds:SignedInfo.

I'd like to propose a new signature algorithm which replicates the PKCS7
algorithm. Actually, rather than proposing, I'd also like to point y'all
to an example of it at http://wiki.rcpt.to:8180/pkcs/ which will
generate a ds:Signature block for an arbitrary document. The signing
operation is done entirely on the browser with client-side certificates,
although the transformation into a ds:Signature is server-side because I
couldn't quite stomach the idea of writing an ASN.1 parser in
Javascript.

The generated signatures can be verified using a plugin for Apache's
XML-Security toolkit available from
http://wiki.rcpt.to/perl/wiki.pl?PKCSToXMLDSig (which also contains some
random annotations on this little project).

Comments warmly invited.

m.

Received on Wednesday, 29 March 2006 20:23:20 UTC