Re: [woes] "Basing" on CMS

Stephen Farrell <> Thu, 14 July 2011 20:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B640F11E8087 for <>; Thu, 14 Jul 2011 13:34:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -104.599
X-Spam-Status: No, score=-104.599 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id h46vVQA75WYP for <>; Thu, 14 Jul 2011 13:34:04 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 813AB11E8079 for <>; Thu, 14 Jul 2011 13:34:04 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3B6CB171BFA; Thu, 14 Jul 2011 21:33:51 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1310675626; bh=wRDzD3v3xyAV/t CaahIWKgWStdJL0TGH1d570Uzxyow=; b=3Yx3+9ioCdck/p/gEToOjIzYi9Qkuq /af1BLyNIRM4PskxC6ZhGA5ohoz/qzXMhfNAAuoxN62OaOQ3BeqGYcK9OO0pxfBw y+lgjSi5kYLSrB4pBlMeUrAP+0W0ZVHl9RTHvLDsjlfBJhnBkxBwy8qhlVD2tTkv hmw29oxHy3q7uP5y6J4hFv9o5/7xAZnbGDj2N9Y4yFgUYBXDvBfWApZGAzs8hBY2 1tSVaioKCjo7X4EoCna6pUEa5/XA/RPN2E/lyPf5Xcg6Pzxc9/GSxZrnk+lNVFgE tk6nlDC4p+ls7CZ5JP7xsum2oNHj/qE/xKF9LA66gDbIqse+TPcHVX8A==
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10027) with ESMTP id YuPILcZbdcXG; Thu, 14 Jul 2011 21:33:46 +0100 (IST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 8B6B6171BF9; Thu, 14 Jul 2011 21:33:45 +0100 (IST)
Message-ID: <>
Date: Thu, 14 Jul 2011 21:33:34 +0100
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: Paul Hoffman <>
References: <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "" <>
Subject: Re: [woes] "Basing" on CMS
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Web Object Encryption and Signing \(woes\) BOF discussion list" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Jul 2011 20:34:11 -0000

On 13/07/11 18:42, Paul Hoffman wrote:
> On Jul 13, 2011, at 10:27 AM, Mike Jones wrote:
>> I strongly disagree with the "basing on CMS" wording.  I'd be OK with wording more like "drawing upon existing inputs such as CMS, XMLDSIG, and XMLENC".
>> There's a lot to reuse from these documents.  But it's prejudicial to have a discussion that starts from the assumption that we are basing this work on CMS.
> As someone who participated in the early XMLDSIG and XMLENC work, I have to ask: what do they have for this JSON work that CMS doesn't? That is, there was a conscious attempt to mirror CMS structures in them. Where they strayed (such as on namespaces), they went to hell.
> One or two examples here would really help.

Indeed. I think the KeyInfo from XMLDSIG is maybe a
slightly better model than (almost) forcing
IssuerAndSerialNumber from 5280 as is done in CMS.
That's the level at which I think we need to have
the discussion to understand what people are claiming
is wrong with basing on CMS.

For me, other than that example, I really fail to
see anything wrong with basing on CMS, so some
examples would be very good, even if they only
come two weeks after I first asked.

(Or, maybe all the disquiet on this topic is
really format-wars yet again and from the security
p-o-v, content-free;-)


> --Paul Hoffman
> _______________________________________________
> woes mailing list