On 2018-10-11 21:03, Carsten Bormann wrote:
On Oct 11, 2018, at 20:23, Phil Hunt <[email protected]> wrote:
I am not sure of the value of canonicalization. I prefer bytestream encoding
style where the original content goes with the signature.
I’m afraid a lot of people are sitting in front of their screens silently
agreeing, but not typing anything because their hands are tied up in an
interminable facepalm.
Those who are not stuck in an a ever-lasting facepalm may not be entirely
comfortable with signature schemes that completely change the structure of
signed messages. COSE do this as well?
Well, you can of course add artificial unsigned layers (like the TEEP folks do), but that
smells "workaround" rather than solution.
thanx,
Anders
So, for the record:
To the people asking for a c14n solution for signature: If you want XMLDSig,
you know where to find it.
The basic approach of having humongous XML documents that get signatures added
to themselves as part of the document only makes sense in certain processing
models that went out of favor with XML.
JOSE does the right thing for more modern applications.
I’m not opposed to doing some “c14n” work on serialization schemes —
deterministic serialization has other applications than just XMLDSig.
That would be work for a JSONbis WG (but I fear the interest level among JSON
experts will be low).
I definitely do not like giving the message that c14n-based signatures are the
new thing that will replace doing the right thing (JOSE, that is).
Grüße, Carsten
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
