Re: Single Key in Originator Information from Paul Lambert on 1999-04-21 (w3c-xml-sig-ws@w3.org from April 1999)

From: Paul Lambert <plambert@certicom.com>
Date: Wed, 21 Apr 1999 16:29:40 -0700
To: "John Boyer" <jboyer@uwi.com>
cc: "Dsig group" <w3c-xml-sig-ws@w3.org>
Message-ID: <8825675A.007FD149.00@domino2.certicom.com>

John,

>Signing XML is a fundamentally different problem.  We do not need to learn
>from these past efforts if we do not try to duplicate them, as would be
the
>case if signed XML meant "sign XML then express signature in XML".
Signing
>XML only requires us to define an interface to call upon these
technologies.
>As the cryptography experts learn from their past efforts and put out new
>standards, our interface will be able to call on the technology that
>implements the new standards.  All without changing our spec, DTDs, and
>software.

My proposal was directed at the use of certificates from PGP and X.509.
Only one originator should be supported.

It is not easy to "call on new technology" that hides relevant information
in opaque blobs. I'm obviously in the no-PKCS#7 for XML signatures camp.
We will not be able to prevent vendors from defining signature blobs that
are based on PKCS#7, but we should not make this our solution provides
equivelent functionality in an XML syntax.

My objection is based on the granularity of blobs.  PKCS#7 has too much
information encoded within it's blob.  More on this later ...

Paul




"John Boyer" <jboyer@uwi.com> on 04/21/99 03:38:25 PM

To:   Paul Lambert/Certicom
cc:   "Dsig group" <w3c-xml-sig-ws@w3.org>
Subject:  Re: Single Key in Originator Information






>Signing XML is not a fundamental and different problem.  We have many
>worked examples to learn from like: X.410, X.509, PEM, MOSS, DNS Sec,
SDSI,
>SPKI, PGP, DMS, and DSig 1.0.
<snip/>
>So, hopefully we will be able learn from these past efforts.

Signing XML is a fundamentally different problem.  We do not need to learn
from these past efforts if we do not try to duplicate them, as would be the
case if signed XML meant "sign XML then express signature in XML".  Signing
XML only requires us to define an interface to call upon these
technologies.
As the cryptography experts learn from their past efforts and put out new
standards, our interface will be able to call on the technology that
implements the new standards.  All without changing our spec, DTDs, and
software.


John Boyer
Software Development Manager
UWI.Com -- The Internet Forms Company
jboyer@uwi.com

Received on Wednesday, 21 April 1999 19:47:40 UTC