[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: AW: Content Type for XML Objects
I agree with at least part of what Peter said.
This is the path that I think should be followed:
1. There should be one XML content type OID assigned. There are not
multiple ways to encode XML at this point.
2. It should be determined
a) We need an authenticated attribute to convey what the XML is and
b) if the ContentHints attribute is
If the answers are yes and no, then a new authenticated attribute
should be created for this purpose.
3. For those people who want to continue using C14N algorithms on XML
trees, they need to define one or more new hash algorithms that convert an
XML tree into a binary number. These new hash algorithms would most likely
take as a parameter one of the existing string to binary number hash
algorithms we are familiar with today.
> -----Original Message-----
> From: owner-ietf-smime@xxxxxxxxxxxx [mailto:owner-ietf-
> smime@xxxxxxxxxxxx] On Behalf Of Peter Gutmann
> Sent: Tuesday, April 08, 2008 11:31 PM
> To: housley@xxxxxxxxxxxx; joerg.schwenk@xxxxxx
> Cc: ietf-smime@xxxxxxx
> Subject: Re: AW: Content Type for XML Objects
> =?iso-8859-1?Q?J=F6rg_Schwenk?= <joerg.schwenk@xxxxxx> writes:
> >- The problem now is that there are, up to my knowledge, at least two
> >different C14N algorithms specified. So one OID will not do, because
> it has
> >to tell the signature verification function how to process the XML
> >before hashing it.
> Argh, no, this is exactly the same mistake that XMLdsig makes, and (one
> the reasons why it's such a nightmare to implement (see
> http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt for the short
> form and
> http://seattle.toorcon.org/2007/talks/bradhill.ppt for the version with
> orchestration and five part harmony).
> The nice thing about S/MIME and PGP is that what's signed is "this
> string of
> bits, exactly as is", without any need to perform impossible
> manipulations on
> it first like XMLdsig requires.
> >To sum up: I think we need a different OID for each C14N algorithm.
> Only if we want to repeat XMLdsig's mistakes. This is a chance to fix
> not to perpetuate them.