XML versus ASN.1/DER blob from dee3@us.ibm.com on 1999-04-20 (w3c-xml-sig-ws@w3.org from April 1999)

From: <dee3@us.ibm.com>
Date: Tue, 20 Apr 1999 12:14:32 -0400
To: w3c-xml-sig-ws@w3.org
Message-ID: <85256759.0059E9FA.00@D51MTA10.pok.ibm.com>

I agree that careful thought on boundaries is needed here.  There are
potentially three task areas:

(1) Canonicalizing XML.  A reasonable family of clearly defined, stable,
and relatively easy to implement canonicalizations of XML need to be
defined.  For many applications, you would want to canonicalize.  This
includes cases where you sign XML regardless of how the signature syntax.

(2) Packaging. This is actually a broader topic than it seems.  There are
potentially many facets as follows, although I think only one is
interesting here:
     (2a) How to package arbitrary stuff in MIME, documented in RFCs
2045-2049.
     (2b) How to package XML in MIME, currently documented in RFC 2376 but
undergoing review.
     (2c) How to package signed/encrypted stuff in MIME, documented in RFC
1847.  (Used in some email formats and convenient to have as a default but
many protocols have their own syntax with provisions for signature,
encrypted fields, etc.)
     (2d) How to package arbitrary stuff in XML, undefined: presumably will
be something like a mapping of MIME into an XML syntax with appropriate
defaults so that simple cases are very concise.
     (2e) How to package arbitrary MIME in XML, undefined:
<MIME>...</MIME>?
     (2f) How to package signed/encrypted stuff in XML, undefined: possible
a mapping of the RFC 1847 MIME into an XML syntax.  (Only needed as a
default since many protocols will have their own syntax with provisions for
signatures, encrypted fields, etc.)

(3) XML Signature Syntax.  There appears to be controversy here.  Some want
to start with CMS/PKCS#7 but map it into XML syntax and extend it to meet
the requirements, presumably resulting in something like the Richard Brown
proposal.  Others want to just use a PKCS#7 binary blob.
     The blob approach loses all of the transparency and extensibility of
XML.  It is not clear that it can meet the requirements for support of
keyed hashes.  You are locked into having two mutually alien sets of
encoding/decodig logic: XML and ASN.1/DER.
     On the other hand, wtih XML syntax as show in the Richard Brown
proposal, you do have the readability and extensibility that are goals of
XML.
     Quite frankly, if you go with the blob, I don't see any justification
for calling the result an XML digital signature.

Thanks,
Donald

Donald E. Eastlake, 3rd
17 Skyline Drive, Hawthorne, NY 10532 USA
dee3@us.ibm.com   tel: 1-914-784-7913, fax: 1-914-784-3833

home: 65 Shindegan Hill Road, RR#1, Carmel, NY 10512 USA
dee3@torque.pothole.com   tel: 1-914-276-2668

Received on Tuesday, 20 April 1999 12:22:24 UTC