Re: [atoca] New Version Notification for draft-barnes-atoca-escape-01.txt
"Matt Miller (mamille2)" <mamille2@cisco.com> Mon, 17 September 2012 20:30 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: atoca@ietfa.amsl.com
Delivered-To: atoca@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CC6D21E804A for <atoca@ietfa.amsl.com>; Mon, 17 Sep 2012 13:30:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.441
X-Spam-Level:
X-Spam-Status: No, score=-10.441 tagged_above=-999 required=5 tests=[AWL=-0.157, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dge6VoQl52Yp for <atoca@ietfa.amsl.com>; Mon, 17 Sep 2012 13:30:00 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id 604FC21E8047 for <atoca@ietf.org>; Mon, 17 Sep 2012 13:30:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6615; q=dns/txt; s=iport; t=1347913800; x=1349123400; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=YTg19Jbxs/gJsc2HXgJ7T0fUY07zWaau2sewu3BUM1E=; b=QkrBMUa/+yHdzwK4nR1gr243SjOV3L+sreBEBZko5N3s9B1hQQdV1jwk up1QjBqm6FWgkie+e16phuNCJ/a2ioJMbu7YSyJhJGbeIZJkmw8Yst6NO 20kUWwMf48OWhrMKjj1zxamic0eW61HNPXzy9UKL10V8+g+U3ORP9nUfP g=;
X-Files: smime.p7s, PGP.sig : 2214, 535
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAG6HV1CtJXG9/2dsb2JhbABEvCGBB4IgAQEBAwEBAQEPAVsJAgULAgEIGC4CJQslAgQOBQ4UhW+BaQYLmkGgBQSLIYYIYAOOaYEghVmOOIFpgmaBYzQ
X-IronPort-AV: E=Sophos; i="4.80,437,1344211200"; d="sig'?p7s'?scan'208"; a="122487310"
Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by rcdn-iport-6.cisco.com with ESMTP; 17 Sep 2012 20:30:00 +0000
Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by rcdn-core2-2.cisco.com (8.14.5/8.14.5) with ESMTP id q8HKTvi6015185 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 17 Sep 2012 20:29:59 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.219]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.02.0318.001; Mon, 17 Sep 2012 15:29:47 -0500
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [atoca] New Version Notification for draft-barnes-atoca-escape-01.txt
Thread-Index: AQHNj8+aghIRaVxQhU+adlTN6rgv+JeE7m+AgADD/gCAACsiAIABZ4IAgAgVfgA=
Date: Mon, 17 Sep 2012 20:29:47 +0000
Message-ID: <FB1BE4DF-E15D-4976-9B42-9FE491221585@cisco.com>
References: <20120911033801.16598.18619.idtracker@ietfa.amsl.com> <886749D5-885D-471F-A0B7-32DE09C69C5E@bbn.com> <6DDAB886-779C-4F0E-BE34-D80F34E5A456@incident.com> <CABkgnnWGN-GhVzx=0+Ch_H173=g7m2V43KqEtjRMm33LcZBRJw@mail.gmail.com> <22890A80-2C2D-43D4-A74D-081D35E08FFD@incident.com> <CABkgnnVJBzn=GQ=VB8w_+zBuuyAbKPsb4cQUP-EM19-ne8AAcg@mail.gmail.com>
In-Reply-To: <CABkgnnVJBzn=GQ=VB8w_+zBuuyAbKPsb4cQUP-EM19-ne8AAcg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-pgp-agent: GPGMail 1.3.3
x-originating-ip: [64.101.72.40]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19188.004
x-tm-as-result: No--35.135800-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Apple-Mail-4-239401199"
MIME-Version: 1.0
Cc: "<atoca@ietf.org>" <atoca@ietf.org>
Subject: Re: [atoca] New Version Notification for draft-barnes-atoca-escape-01.txt
X-BeenThere: atoca@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for the IETF Authority-to-Citizen Alert \(atoca\) working group." <atoca.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/atoca>, <mailto:atoca-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/atoca>
List-Post: <mailto:atoca@ietf.org>
List-Help: <mailto:atoca-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/atoca>, <mailto:atoca-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2012 20:30:01 -0000
I agree with Martin's and Richard's sentiments on this. The vast majority of XML or XML-like implementations I am aware of cannot properly verify or generate XML canonicalization. I also have concern of transporting XMLDSig things over transports that look an awful lot like XML, and the potential for incompatibility because of the lack of XML canonicalization support. In my opinion, using a serialized method such as ESCAPE would mitigate most of that concern. - m&m Matt Miller - <mamille2@cisco.com> Cisco Systems, Inc. On Sep 12, 2012, at 11:02, Martin Thomson wrote: > On 11 September 2012 12:36, Art Botterell <acb@incident.com> wrote: >> Hi Martin - >> >> Not sure how one might implement digital signatures of XML without canonicalization, really, but if that "accepted wisdom" is correct, wouldn't that better be addressed by refinement or replacement of RFC3275 rather than vectoring off into development of a "splinter" specification? > > That's precisely the problem. I can digitally sign a serialization of > XML relatively trivially, but to truly sign the XML then you need to > canonicalize the content. JOSE are dealing with signing in a > completely different fashion for this exact reason: they only deal > with the serialization. That simplifies implementation greatly. > >> I do observe that all the various implementers of IPAWS-compatible systems in the US have had to implement XML signatures and seem to have managed without undue difficulty. Perhaps the available libraries have improved. > > Perhaps they have. Though I note that it's a different matter to > implement this sort of canonicalization in millions of devices with a > wide range of capabilities. Last I checked, XML canonicalization > libraries weren't small either. > >> And I'm not clear on what it is that tokens would optimize, but hopefully Richard can explain that. > > Checking a signature is expensive. Proving that you have access to > the pre-image for a prearranged hash allows clients to filter out > bogus alerts quickly. > _______________________________________________ > atoca mailing list > atoca@ietf.org > https://www.ietf.org/mailman/listinfo/atoca
- Re: [atoca] New Version Notification for draft-ba… Richard Barnes
- Re: [atoca] New Version Notification for draft-ba… Art Botterell
- Re: [atoca] New Version Notification for draft-ba… Martin Thomson
- Re: [atoca] New Version Notification for draft-ba… Brian Rosen
- Re: [atoca] New Version Notification for draft-ba… Art Botterell
- Re: [atoca] New Version Notification for draft-ba… Brian Rosen
- Re: [atoca] New Version Notification for draft-ba… Art Botterell
- Re: [atoca] New Version Notification for draft-ba… Andrew Chi
- Re: [atoca] New Version Notification for draft-ba… Andrew Chi
- Re: [atoca] New Version Notification for draft-ba… Martin Thomson
- Re: [atoca] New Version Notification for draft-ba… Richard Barnes
- Re: [atoca] New Version Notification for draft-ba… Richard Barnes
- Re: [atoca] New Version Notification for draft-ba… Richard Barnes
- Re: [atoca] New Version Notification for draft-ba… Brian Rosen
- Re: [atoca] New Version Notification for draft-ba… Richard Barnes
- Re: [atoca] New Version Notification for draft-ba… Art Botterell
- Re: [atoca] New Version Notification for draft-ba… Matt Miller (mamille2)