[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] Re: Mime type for XRD/Site-meta signature file
FWIW, it might be worthwhile looking at the proposed simple-sign binding draft [1] in the SSTC (SAML). Much thought has gone into this over the past year or so, and might save us sime time, if we really want to consider ditching xml dsig. =peterd [1] http://www.oasis-open.org/apps/org/workgroup/security/download.php/30234/sstc-saml-binding-simplesign-cd-04.pdf On Dec 3, 2008, at 5:20 PM, Eran Hammer-Lahav wrote: > (moving this thread to XRI TC) > > Some questions: > > Is S/MIME adopted? It seems to work very similarly to what we are > looking for, though using multiparts and not links. > Do we have an idea how the current status of adoption for PKCS #7 in > libraries and platforms? > How much signature metadata do we need to build into XRD? > > EHL > > > On 12/3/08 10:14 AM, "Brian Eaton" <beaton@google.com> wrote: > > OK, here's why you should care: > > If we use PKCS #7, we get a signature scheme that works on arbitrary > documents (xml, binary, json, whatever) that includes all of the kinds > of metadata one looks for in such signatures, such as who signed the > document, when they signed, etc... > > The downside to PKCS #7 is that it is somewhat hard to implement from > scratch due to asn.1, and we all know that developers prefer to > implement something simple themselves than pulling in a complicated > library. > > If we use PKCS #1 we need to build signature metadata into XRD. > That's not particularly hard, we can reference the relevant XML DSIG > formats without pulling in the insanity of xml canonicalization. > > So at this point I'm voting for pkcs #1, but there are valid arguments > for pkcs #7 as well. > > Cheers, > Brian > > On Wed, Dec 3, 2008 at 9:51 AM, Eran Hammer-Lahav > <eran@hueniverse.com> wrote: > > This means nothing to me... :-) > > > > I'm going to leave the crypto stuff to those who truly understand > it. > > > > EHL > > > >> -----Original Message----- > >> From: Brian Eaton [mailto:beaton@google.com] > >> Sent: Wednesday, December 03, 2008 9:44 AM > >> To: Eran Hammer-Lahav > >> Cc: Ben Laurie > >> Subject: Re: Mime type for XRD/Site-meta signature file > >> > >> pkcs #7 wraps the raw pkcs #1 signature with some additional asn.1 > >> The format is in http://tools.ietf.org/html/rfc2315 if you're > >> interested. > >> > >> On Wed, Dec 3, 2008 at 9:40 AM, Eran Hammer-Lahav <eran@hueniverse.com > > > >> wrote: > >> > I have no clue what the difference between 1 and 7 is... I simply > >> looked for an existing signature mime-type and found this... > >> > > >> > Ben and Jonathan Sergent submitted the OAuth proposal for PKCS > #1.5 > >> and we never discussed it. > >> > > >> > EHL > >> > > >> >> -----Original Message----- > >> >> From: Brian Eaton [mailto:beaton@google.com] > >> >> Sent: Wednesday, December 03, 2008 9:37 AM > >> >> To: Ben Laurie > >> >> Cc: Eran Hammer-Lahav > >> >> Subject: Re: Mime type for XRD/Site-meta signature file > >> >> > >> >> On Wed, Dec 3, 2008 at 2:08 AM, Ben Laurie <ben@links.org> > wrote: > >> >> > Eran Hammer-Lahav wrote: > >> >> >> I am not sure which signature method you had in mind, but > if it > >> is > >> >> PKCS7, > >> >> >> would application/pkcs7-signature work as a mime-type? > >> >> > > >> >> > I can't see any harm in that. > >> >> > >> >> Why did the OAuth community decide to go with PKCS #1.5 > instead of > >> PKCS > >> >> #7? > >> >> > >> >> There seems to be a certain amount of overlap between the XML > DSIG > >> >> schema and the PKCS #7 ASN.1 schema. Both include mechanisms > for > >> >> transferring certificates, for example. My concern about > using PKCS > >> >> #7 signatures instead of using PKCS #1 is that some platforms > may > >> not > >> >> have standard libraries for parsing PKCS #7 objects. For > example, > >> >> Sun's JCE doesn't seem to expose PKCS #7 signature verification > >> tools. > >> >> They do expose tools to verify PKCS #1 signatures. > >> > > > > Peter Davis: NeuStar, Inc. Director & Distinguished Member of the Technical Staff 45980 Center Oak Plaza Sterling, VA 20166 [T] +1 571 434 5516 [E] peter.davis@neustar.biz [W] http://www.neustar.biz/ [X] xri://@neustar*pdavis [X] xri://=peterd The information contained in this e-mail message is intended only for the use of the recipient(s) named above and may contain confidential and/or privileged information. If you are not the intended recipient you have received this e-mail message in error and any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately and delete the original message.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]