I agree with at least part of what Peter said.
This is the path that I think should be followed:
1. There should be one XML content type OID assigned. There are not
multiple ways to encode XML at this point.
2. It should be determined
a) We need an authenticated attribute to convey what the XML is and
b) if the ContentHints attribute is
If the answers are yes and no, then a new authenticated attribute
should be created for this purpose.
3. For those people who want to continue using C14N algorithms on XML
trees, they need to define one or more new hash algorithms that convert an
XML tree into a binary number. These new hash algorithms would most likely
take as a parameter one of the existing string to binary number hash
algorithms we are familiar with today.
Jim
-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org [mailto:owner-ietf-
smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Peter Gutmann
Sent: Tuesday, April 08, 2008 11:31 PM
To: housley(_at_)vigilsec(_dot_)com; joerg(_dot_)schwenk(_at_)rub(_dot_)de
Cc: ietf-smime(_at_)imc(_dot_)org
Subject: Re: AW: Content Type for XML Objects
=?iso-8859-1?Q?J=F6rg_Schwenk?= <joerg(_dot_)schwenk(_at_)rub(_dot_)de>
writes:
- The problem now is that there are, up to my knowledge, at least two
different C14N algorithms specified. So one OID will not do, because
it has
to tell the signature verification function how to process the XML
data
before hashing it.
Argh, no, this is exactly the same mistake that XMLdsig makes, and (one
of)
the reasons why it's such a nightmare to implement (see
http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt for the short
form and
http://seattle.toorcon.org/2007/talks/bradhill.ppt for the version with
full
orchestration and five part harmony).
The nice thing about S/MIME and PGP is that what's signed is "this
string of
bits, exactly as is", without any need to perform impossible
manipulations on
it first like XMLdsig requires.
To sum up: I think we need a different OID for each C14N algorithm.
Only if we want to repeat XMLdsig's mistakes. This is a chance to fix
them,
not to perpetuate them.
Peter.