RE: XML interface with URIs

Bob,

Sorry, my statement was obviously a bit misleading.

I was not refering to what appear on the wire but rather what is being fed
to the "crypto-engine". If I make use of a crypto-algorithm (i.e. DSA)
through some crypto API (i.e. JCE), I just pass a reference to or the value
of the private-key. If I make use of a package such as PKCS#7, I usually
have to pass not only a refernce to the private key but also the certificate
chain. The point being that there might be a few details that should be
further investigated before taking any decision - There might be not problem
as well - I just don't know yet.

Regarding the second point, I certainly agree with you - XML-DSIG shall
support certificate-based schemes. Recall that the proposal already makes
such provisions. But, usage of certificate shall not be mandatory.

Sincerely,

Richard D. Brown


> -----Original Message-----
> From: Bob Relyea [mailto:relyea@netscape.com]
> Sent: Tuesday, April 27, 1999 11:52 AM
> To: rdbrown@GlobeSet.com
> Cc: 'Phillip M Hallam-Baker'; 'Bede McCall'; w3c-xml-sig-ws@w3.org
> Subject: Re: XML interface with URIs
>
>
>
>
> "Richard D. Brown" wrote:
>
> > Phill,
> >
> > Before agreeing on anything we have to understand the ins
> and outs of such a
> > decision.
> >
> > For example:
> >
> > 1 - What do people refer to by CMS? CMS as specified by
> PKIX or PKCS#7 from
> > RSA.
> >
> > 2 - CMS implementations usually require the
> certificate-chain to be either
> > refer to or pass as an argument. What is the impact on XML-DSIG
> > implementation? Other crypto-algorithms require only the
> private-key.
>
> Do you mean the public key? I don't know of any protocols
> that transport the raw
> private-key.
> XML-DSIG should be able to work with certificate-chain's.
> That's what's actually
> deployed. That's what actual production protocols use (SSL,
> S/MIME). I won't
> argue against allowing public key only signatures.. it's just
> that, unless they
> themselves are signed, not much a generic application can do
> with them.
>
> bob
>
> > Also, we can make sure that the specification provides for
> CMS without
> > making CMS mandatory. Actually, I would certainly vote
> against such a
> > proposition.
>
> It should at least be a "should". You need at least one
> deployable solution that
> works with existing PKI's if you are interested in any near
> term deployments.
> Most importantly though, the spec should give the CMS
> profile. (that is if you
> use CMS, this is what the tags look like).
>
> bob
>

Received on Tuesday, 27 April 1999 13:59:09 UTC