At 2:37 PM -0400 4/9/08, Russ Housley wrote:
Blake:> The nice thing about S/MIME and PGP is that what's signed is "this string ofbits, exactly as is", without any need to perform impossible manipulations onit first like XMLdsig requires.One way to avoid this temptation is to just leave it as "throw a MIME Content-Type at the beginning of it with application/(something)+xml, mark it id-data and call it S/MIME". The overhead does not seem significant (just the additional header), and I don't know the utility of being able to identify it as XML at the outer CMS wrapper.I already proposed this before starting this thread. This is the response I got:Gah, please not MIME encoding. We already have to have ASN.1 and XML libraries, I don't want to have to add a MIME library too.As you can see, there is a strong preference to carry the XML object directly in CMS.
There are strong preferences all over on topics relating to XML. See the Apps Area mailing list, about once a year or so.
FWIW, I agree with Blake. Using the outer wrapper to say "the bits inside this are serialized as XML" doesn't seem useful to the S/MIME processor. Let's not reinvent MIME in our OIDs if we don't need to.