RE: Signing encrypted data & PKCS7/CMS thoughts from Ed Simon on 2001-03-22 (xml-encryption@w3.org from March 2001)

From: Ed Simon <ed.simon@entrust.com>
Date: Thu, 22 Mar 2001 13:59:29 -0500
To: "'xml-encryption@w3.org'" <xml-encryption@w3.org>
Message-ID: <A0E1DEC54ED42F4884DD9EEA00ACE37106D18E@sottmxs08.entrust.com>

The flexibility and power of XML Signature and XML Encryption requires a
paradigm shift in how security professionals and application professionals
think about security.  I would even go further and say that even XML itself
requires a paradigm shift in how security is approached.  This isn't just an
issue for XML Signature/Encryption but also for SAML, XACML, and whatever
security-related XML may come along.
 
When a decision is made to use XML and/or an XML-aware security mechanism,
the designers of the system need to take into account why and how XML
Security is different.  This will require the involvement of XML Security
expertise which will only come with experience.  At this time, the best
(that is, the safest) approach is to start with basic functionality, keeping
things as simple as possible.  Though a paradigm shift is ultimately
required, in the early stages, it may be best for developers to start by
simply using XML Signature and XML Encryption just as if they were an
XML-ized PKCS#7 or CMS.  Then once a good comfort level has been reached,
and perhaps with the aid of an XML Security consultant, more advanced
applications of XML Security can be incorporated.
 
Ed

-----Original Message-----
From: Thane Plambeck [mailto:tplambeck@verisign.com]
Sent: Thursday, March 22, 2001 12:25 PM
To: 'xml-encryption@w3.org'
Subject: Signing encrypted data & PKCS7/CMS thoughts


Ed writes:
> The wonderful thing about XML Signature and XML Encryption is that it is
very flexible in ways that simply were not possible with CMS and PKCS7.  
 
Although I agree with this in spirit, it's also our biggest problem in my
opinion. To the extent that we enable app developers to
reuse keys, combine signature/encryption, etc, we run risks of creating
footholds for cryptanalysis that
aren't present in PKCS7/CMS.  Publishing a spec that puts the burden of
cryptanalytic soundness on the app developer is
a useless, probably even dangerous activity.  
 
Suppose I believe that CMS and PKCS7 have a sound treatment of signing and
encryption from a 
cryptanalytic point of view.  It would be great if I knew that any
cryptanalytic attack on my 
XML Encryption/XML SIgnature application would lift to a PKCS 7 attack, ie,
that my XML app
is at least as secure as PKCS7.  Maybe there could be PKCS7 "profile" or
something?  
 
Whether this is possible or even a reasonable way to think of this I don't
know.  
 
Thane Plambeck
VeriSign

Received on Thursday, 22 March 2001 14:00:10 UTC