- From: Joseph Reagle <reagle@w3.org>
- Date: Wed, 31 Oct 2001 17:47:23 -0500
- To: "Dournaee, Blake" <bdournaee@rsasecurity.com>
- Cc: "'xml-encryption@w3.org'" <xml-encryption@w3.org>
On Wednesday 24 October 2001 15:32, Dournaee, Blake wrote: > In my opinion, I believe that it is a mistake to leave out something as > important as PBE for private keys. > For example, here we have these great XML Signature and Encryption > standards that are virtually ASN.1 free, yet there is no easy way to keep > a private key safe without going back to ASN.1. Couldn't one use encrypt <ds:KeyValue/> as a <enc:EncryptedKey/> without resorting to ASN.1? > For example, consider the creation of some abitrary encrypted data that > is encrypted and packaged using XML Encryption and sent to a recipient. > The recipient can use XML tools to pull apart the document and get to the > <EncryptedData> elemement(s), yet the actual *decryption key* (private > key, in the case of RSA) will likely be stored locally as a PKCS#12 > message or a PKCS#8 blob. Because there is no XML substitute for keeping > a decryption key safe and usable, an ASN.1 parser will be required in the > end anyhow. At this point, there is little sense to use XML Encryption > when one can just use PKCS#7 and re-use the ASN.1 engine and throw out > the XML tools. Well, this is one of those issues that if you specifiy/propose some text for section 5, you might be able to win a consensus from the WG to adopt it, but absent someone, who wants it, making a substantive proposal and convincing others, it's not likely to happen! <smile/> -- * I will be in France from 3-9 November for the W3C AC Meeting. Joseph Reagle Jr. http://www.w3.org/People/Reagle/ W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature/ W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
Received on Wednesday, 31 October 2001 17:47:27 UTC