At 2:37 PM -0400 4/9/08, Russ Housley wrote:
Blake:
> The nice thing about S/MIME and PGP is that what's signed is
"this string of
bits, exactly as is", without any need to perform impossible
manipulations on
it first like XMLdsig requires.
One way to avoid this temptation is to just leave it as "throw a MIME
Content-Type at the beginning of it with application/(something)+xml, mark it
id-data and call it S/MIME". The overhead does not seem significant (just the
additional header), and I don't know the utility of being able to identify it
as XML at the outer CMS wrapper.
I already proposed this before starting this thread. This is the
response I got:
Gah, please not MIME encoding. We already have to have ASN.1 and XML
libraries, I don't want to have to add a MIME library too.
As you can see, there is a strong preference to carry the XML object
directly in CMS.
There are strong preferences all over on topics relating to XML. See
the Apps Area mailing list, about once a year or so.
FWIW, I agree with Blake. Using the outer wrapper to say "the bits
inside this are serialized as XML" doesn't seem useful to the S/MIME
processor. Let's not reinvent MIME in our OIDs if we don't need to.