[Security] Re: e2e feedback

Mridul mridul at sun.com
Fri Mar 16 18:25:54 CDT 2007


Peter Saint-Andre wrote:
> Matthias Wimmer wrote:
> 
>> But still I keep saying that the protocol we are looking for is XML
>> Signature and XML Encryption, that have been defined by the W3C.
>> http://www.w3.org/Signature/
>> http://www.w3.org/Encryption/2001/
>> This are standards specially made to sign and encrypt XML data, so it is
>> exactly what we need. And even while I asked on the standards JID, nobody
>> could yet tell me, what would be a problem with this standards. 
> 
> FWIW, Peter Guttmann has some piquant things to say about xmlenc/xmldsig 
> here:
> 
> http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt
> 
> Though he also thinks that RFC 3923 was a great idea, so YMMV...
> 
> /psa
> 


I always considered 3923 a pretty decent idea since it was practical ... 
xml security related specs have always been a mess to implement (reminds 
me a lot of the SOAP bloat).
Not sure how we will do PFS with 3923 easily enough though ... unless I 
am missing something. I am yet to go through 136 and associated specs, 
so will reserve comments for the conf.

Regards,
Mridul


More information about the Security mailing list