ietf-smime
[Top] [All Lists]

Re: AW: Content Type for XML Objects

2008-04-08 23:57:27

=?iso-8859-1?Q?J=F6rg_Schwenk?= <joerg(_dot_)schwenk(_at_)rub(_dot_)de> writes:

- The problem now is that there are, up to my knowledge, at least two
different C14N algorithms specified. So one OID will not do, because it has
to tell the signature verification function how to process the XML data
before hashing it.

Argh, no, this is exactly the same mistake that XMLdsig makes, and (one of)
the reasons why it's such a nightmare to implement (see
http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt for the short form and
http://seattle.toorcon.org/2007/talks/bradhill.ppt for the version with full
orchestration and five part harmony).

The nice thing about S/MIME and PGP is that what's signed is "this string of
bits, exactly as is", without any need to perform impossible manipulations on
it first like XMLdsig requires.

To sum up: I think we need a different OID for each C14N algorithm.

Only if we want to repeat XMLdsig's mistakes.  This is a chance to fix them,
not to perpetuate them.

Peter.