Re: Mime type for XRD/Site-meta signature file

[Eran Hammer-Lahav <eran@hueniverse.com>]

Title: Re: Mime type for XRD/Site-meta signature file

(moving this thread to XRI TC)

Some questions:

Is S/MIME adopted? It seems to work very similarly to what we are looking for, though using multiparts and not links.
Do we have an idea how the current status of adoption for PKCS #7 in libraries and platforms?
How much signature metadata do we need to build into XRD?

EHL


On 12/3/08 10:14 AM, "Brian Eaton" <beaton@google.com> wrote:

> OK, here's why you should care:
>
> If we use PKCS #7, we get a signature scheme that works on arbitrary
> documents (xml, binary, json, whatever) that includes all of the kinds
> of metadata one looks for in such signatures, such as who signed the
> document, when they signed, etc...
>
> The downside to PKCS #7 is that it is somewhat hard to implement from
> scratch due to asn.1, and we all know that developers prefer to
> implement something simple themselves than pulling in a complicated
> library.
>
> If we use PKCS #1 we need to build signature metadata into XRD.
> That's not particularly hard, we can reference the relevant XML DSIG
> formats without pulling in the insanity of xml canonicalization.
>
> So at this point I'm voting for pkcs #1, but there are valid arguments
> for pkcs #7 as well.
>
> Cheers,
> Brian
>
> On Wed, Dec 3, 2008 at 9:51 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> > This means nothing to me... :-)
> >
> > I'm going to leave the crypto stuff to those who truly understand it.
> >
> > EHL
> >
> >> -----Original Message-----
> >> From: Brian Eaton [mailto:beaton@google.com]
> >> Sent: Wednesday, December 03, 2008 9:44 AM
> >> To: Eran Hammer-Lahav
> >> Cc: Ben Laurie
> >> Subject: Re: Mime type for XRD/Site-meta signature file
> >>
> >> pkcs #7 wraps the raw pkcs #1 signature with some additional asn.1
> >> The format is in http://tools.ietf.org/html/rfc2315 if you're
> >> interested.
> >>
> >> On Wed, Dec 3, 2008 at 9:40 AM, Eran Hammer-Lahav <eran@hueniverse.com>
> >> wrote:
> >> > I have no clue what the difference between 1 and 7 is... I simply
> >> looked for an existing signature mime-type and found this...
> >> >
> >> > Ben and Jonathan Sergent submitted the OAuth proposal for PKCS #1.5
> >> and we never discussed it.
> >> >
> >> > EHL
> >> >
> >> >> -----Original Message-----
> >> >> From: Brian Eaton [mailto:beaton@google.com]
> >> >> Sent: Wednesday, December 03, 2008 9:37 AM
> >> >> To: Ben Laurie
> >> >> Cc: Eran Hammer-Lahav
> >> >> Subject: Re: Mime type for XRD/Site-meta signature file
> >> >>
> >> >> On Wed, Dec 3, 2008 at 2:08 AM, Ben Laurie <ben@links.org> wrote:
> >> >> > Eran Hammer-Lahav wrote:
> >> >> >> I am not sure which signature method you had in mind, but if it
> >> is
> >> >> PKCS7,
> >> >> >> would application/pkcs7-signature work as a mime-type?
> >> >> >
> >> >> > I can't see any harm in that.
> >> >>
> >> >> Why did the OAuth community decide to go with PKCS #1.5 instead of
> >> PKCS
> >> >> #7?
> >> >>
> >> >> There seems to be a certain amount of overlap between the XML DSIG
> >> >> schema and the PKCS #7 ASN.1 schema.  Both include mechanisms for
> >> >> transferring certificates, for example.  My concern about using PKCS
> >> >> #7 signatures instead of using PKCS #1 is that some platforms may
> >> not
> >> >> have standard libraries for parsing PKCS #7 objects.  For example,
> >> >> Sun's JCE doesn't seem to expose PKCS #7 signature verification
> >> tools.
> >> >>  They do expose tools to verify PKCS #1 signatures.
> >> >
> >