Re: XML versus ASN.1/DER blob from Bob Relyea on 1999-04-20 (w3c-xml-sig-ws@w3.org from April 1999)

From: Bob Relyea <relyea@netscape.com>
Date: Tue, 20 Apr 1999 14:32:53 -0700
To: dee3@us.ibm.com, w3c-xml-sig-ws@w3.org
Message-ID: <371CF284.7E482921@netscape.com>
dee3@us.ibm.com wrote:

> ### If you want to define a "PKCS7" signature algorithm and do things in
> a hybrid XML / ASN.1 fashion, I suppose you should be able to.  But people
> who want to really do it in XML without having to drag in ASN.1/DER
> encoders and decoders, in addition to their XML logic, should be able to
> also.

If you want to do anything interesting with signed data, you already have to
include ASN.1 and DER. RSA PKCS #1 signatures have imbedded ASN.1 data. You
also need modular exponenatiation code, which swamps DER in size and
complexity.

>
>
> This means that we need to define how XML applications can get access to
> non-XML objects anyway.
>
> ### XML applications should be accessing things with DOM or the like.

I presumed there would be something like this. We then need to define that the
DOM methodes look like for things like PKCS #7 objects.

>
>
> >      On the other hand, wtih XML syntax as show in the Richard Brown
> > proposal, you do have the readability and extensibility that are goals of
> > XML.
>
> I don't see anything wrong with the base structure of Richard's proposal.
> We
> just need to spend the time to hash out what specifically shows up as XML
> tags,
> what shows up in PKCS #7 blobs, what shows up in both, and how do XML
> applications get to stuff in the PKCS #7 blob, and what shows up in both.
>
> ### In an XML standard, things should be in XML tags.  If you want to do
> PKCS#7 signatures that make some use of XML packaging, you can.  Just don't
> pretend they are XML signatures.

So our RSA signatures should be encrypted blobs of XML, and not PKCS #1 blobs
to be real XML signatures, even though every security token in the world would
barf on that data?

> >      Quite frankly, if you go with the blob, I don't see any
> justification
> > for calling the result an XML digital signature.

We're working on Signed XML. An XML digital signature, as you are trying to
define it appears to me to be and interesting academic exersize, but does not
get us any closer to deploying and using signed XML documents -- and certainly
does not meet any goal of getting something useful in the next 18 months!

> ### A PKCS#7 blob is an ASN.1/DER signature.  It is never a MIME signature.
> In S/MIME, it is an ASN.1/DER signature of a MIME object packaged with
> MIME.
> You could certainly design a way to use PKCS#7 blobs to get an ASN.1/DER
> signature of arbitrary stuff, including XML, packaged in XML.

So I submit that if you are trying to build a new *signature* standard, that
work should be done under some other working group.

The best analogy I can think of to what you are suggesting is if someone
decided that we need an XML Image format, because JPEG is to hard. The new
format would build on JPEG, and use DCT's, have all sorts of low level binary
data. it will have some interesting things like image size and resolution that
the XML application can use.

Again an interesting exersize, but not someone would actually use in a
commercial application.

bob
Received on Tuesday, 20 April 1999 17:33:36 UTC