[Security] Re: e2e feedback

Peter Saint-Andre stpeter at jabber.org
Fri Mar 16 22:08:39 CDT 2007


Mridul wrote:
> Peter Saint-Andre wrote:
>> Matthias Wimmer wrote:
>>
>>> But still I keep saying that the protocol we are looking for is XML
>>> Signature and XML Encryption, that have been defined by the W3C.
>>> http://www.w3.org/Signature/
>>> http://www.w3.org/Encryption/2001/
>>> This are standards specially made to sign and encrypt XML data, so it is
>>> exactly what we need. And even while I asked on the standards JID, 
>>> nobody
>>> could yet tell me, what would be a problem with this standards. 
>>
>> FWIW, Peter Guttmann has some piquant things to say about 
>> xmlenc/xmldsig here:
>>
>> http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt
>>
>> Though he also thinks that RFC 3923 was a great idea, so YMMV...
>>
>> /psa
>>
> 
> 
> I always considered 3923 a pretty decent idea since it was practical ... 

Practical, other than the PKI dependency (or can you use self-signed 
certificates?) and the CPIM usage (which developers hate, there are no 
CPIM parsers) and the MIME stuff (very much not jabberish). As someone 
once said, S/MIME is the only known security technology with more 
implementations than users. :)

> xml security related specs have always been a mess to implement (reminds 
> me a lot of the SOAP bloat).

Ick yes.

/psa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20070316/fdbc4b09/smime.bin


More information about the Security mailing list