[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] CMS
Trevor, That is not quite what I heard. I had simply suggested making InputDocuments and SignatureObject [Optional] in the Verify protocol. This is arguably a good idea for XMLDSIG and a must for CMS. What you have below simply moves (correction, copies) our debate from an XMLDSIG playing field to an ASN.1 playing field. Besides, you have just scratched the surface of FULL CMS support. It just exacerbates the complexity on the CMS client side which I thought was unnecessary for single signature XMLDSIG documents. It would be especially painful for run-of-the-mill CMS enveloping signatures. What I suggested, and thought I heard consensus on, was the simple introduction of either/or optionality of InputDocuments and SignatureObjects for the Verify. There is no need to change the Sign. Basic CMS support is there, extended forms should be relegated to profiles, where specific handling can be addressed by the profile author and scope can be controlled. XAdES 101733 is a perfect example. I believe the DSS core should stay out of this detail, the CMS suggestions below is exactly what you end up. If you have an enveloping PKCS7 just place the entire SignedData PKCS7 (which every tool on the planet produces) in dss:Base64Signature, no InputDocuments required. If you have a single XMLDSIG enveloped/enveloping signature just place it in InputDocuments, whether and when the SignaturePtr is required or not should be relegated to policy and profiles. This was also discussed and agreed to. All other advanced CMS forms including CMS multi-signing, counter-signing, detached signatures, PKCS#1 signatures, S/MIME, WAP Signed Content, ES-C timestamps, or whatever else you want to support, should be the domain of the profile. The profile should be responsible for the scope and degree of pain it does or does not want to put its clients through, based on what it's basic value proposition is. I agreed that the DSS TC core was "... primarily focused ..." on XMLDSIG. It presently has rudamentary support for CMS, and I simply pointed out a small anomaly in the Verify in pursuing that rudimentary support. I think it would be a good idea to beef up the Basic Processing sections (Sign and Verify, text only) to at least say something about this rudimentary CMS support. I thing everyone likes the XMLDSIG emphasis without totally ignoring CMS. I did not hear anyone say "bring it up to par with XMLDSIG". I didn't want the added complexity in the core any more than you did. Why the sudden change of heart ? Ed P.S. I have attached both a counter-signed and multi-signed P7 for your perusal. Open them up with your favorite BER Viewer. Its not as simple as it seems. Maybe for us, but not for my clients. -----Original Message----- From: Trevor Perrin [mailto:trevp@trevp.net] Sent: April 19, 2004 3:40 PM To: dss@lists.oasis-open.org Subject: [dss] CMS The consensus on the call was that CMS support should be fully spec'd in the core. Here's a proposal: To recap, a CMS SignedData contains a set of co-signatures, each of which could be the root of a *tree* of counter-signatures (not a chain, like I thought before). Each of these sub-signatures is of type SignerInfo. So far, we've assumed the client sends a SignedData for verifying. I think it would be better to send a SignerInfo: - SignerInfo is self-contained: it contains signed & unsigned attributes, the hash type, and signature value. A SignerInfo should be easy to extract from a SignedData: at best, your library will provide access to it. At worse, you do a bit of ASN.1 parsing. - This avoids the difficulty with determining which co-signature or counter-signature to verify. The client just encodes the desired SignerInfo inside a <Base64Signature>. - This supports enveloping & detached signatures identically, and allows for client-side-hashing (via <DocumentHash>) in either case. On the signing side, we probably still want to return a full SignedData, so the client doesn't have to piece one together. Comments? Trevor To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php .
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]