XML Gets Blobbed from rhimes@nmcourt.fed.us on 1999-04-22 (w3c-xml-sig-ws@w3.org from April 1999)

From: <rhimes@nmcourt.fed.us>
Date: Thu, 22 Apr 1999 15:14:20 -0700
To: <w3c-xml-sig-ws@w3.org>
Message-Id: <9904229248.AA924815716@nmcourt.fed.us>

     
     John,
     
     I like the generality and simplicity of your solution, but I have a 
     few questions which will help me understand the position you are 
     proposing. Suppose that a future developer or standards committee 
     decided to express a signature and its descriptive parameters in XML 
     which, AFAIK, is a good idea.  Under your proposal, would the XML 
     digital signature fragment have to be "blobbed" (base64) so that it 
     would become a black box to the XML parser/application?  
     
     Could we consider the XML fragment itself as the black box, that is, 
     it could be passed to an intermediate engine which would determine 
     whether it contains a well-defined (current practice) blob or whether 
     it needs to generate such a blob from information in the fragment?  I 
     know this raises DTD issues, but we should be able to work around 
     them, perhaps with name spaces.
     
     I believe it makes sense to define signatures in XML if we can be 
     assured that we aren't opening up new security holes.  Also, I don't 
     know if that work is appropriate for this group, but I don't think we 
     should discount the possibility.
     
     Thanks,
     Rich Himes <rhimes@nmcourt.fed.us>
     


______________________________ Reply Separator _________________________________
Subject: Re: Single Key in Originator Information
Author:  w3c-xml-sig-ws@w3.org at ~Internet
Date:    4/21/99 6:34 PM


     
     
>Signing XML is not a fundamental and different problem.  We have many 
>worked examples to learn from like: X.410, X.509, PEM, MOSS, DNS Sec, SDSI, 
>SPKI, PGP, DMS, and DSig 1.0.
<snip/>
>So, hopefully we will be able learn from these past efforts.
     
Signing XML is a fundamentally different problem.  We do not need to learn 
from these past efforts if we do not try to duplicate them, as would be the 
case if signed XML meant "sign XML then express signature in XML".  Signing 
XML only requires us to define an interface to call upon these technologies. 
As the cryptography experts learn from their past efforts and put out new 
standards, our interface will be able to call on the technology that 
implements the new standards.  All without changing our spec, DTDs, and 
software.
     
     
John Boyer
Software Development Manager
UWI.Com -- The Internet Forms Company 
jboyer@uwi.com

Received on Thursday, 22 April 1999 17:15:43 UTC