Re: xml-security vs. native security

From: Bruce Stephens (bruce+usenet_at_cenderis.demon.co.uk)
Date: 03/28/05

• Next message: Privacy Nut: "Re: xml-security vs. native security"
• Previous message: Roger Schlafly: "Re: Book list?"
• In reply to: securenix: "xml-security vs. native security"
• Next in thread: Anne & Lynn Wheeler: "Re: xml-security vs. native security"
• Reply: Anne & Lynn Wheeler: "Re: xml-security vs. native security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 28 Mar 2005 18:23:49 +0100

securenix <sequru@yahoo.com> writes:

> For security issues like encrypting, signing, etc. I am planing to
> use native byte[]-oriented cryptographic techniques. But I see
> around xml-security solutions (e.g. WS-Security, etc.). I wonder
> what advantages the xml-security bring us over native-security
> solutions? Do native-solutions cause any bottleneck for web
> services?

My guess is that it's the same kind of difference as with OSI: rather
than checking the signature of the bytes (in BER) you got over the
wire, you can encode the abstract value in a particular way (DER) and
check the signature of that.

So it allows you not to keep the actual encoding that you received
(since the signature is on a canonical encoding), and store the value
in whatever way is convenient to your application.

It may be worth mentioning that recent OSI drafts seem to suggest that
the signed value should be sent as DER, but the signature should be
verified against the actual octets sent. (i.e., it seems that the
original idea may not have been worthwhile.)

I guess it may depend on when you're likely to be checking the
signature: if it's soon after receiving it, then you may as well check
it against the actual encoded value; if it's much later, then there
may be an advantage in being able to reproduce the encoded value from
some other kind of storage.

(I can't think of any particular advantage either way for encryption.)

• Next message: Privacy Nut: "Re: xml-security vs. native security"
• Previous message: Roger Schlafly: "Re: Book list?"
• In reply to: securenix: "xml-security vs. native security"
• Next in thread: Anne & Lynn Wheeler: "Re: xml-security vs. native security"
• Reply: Anne & Lynn Wheeler: "Re: xml-security vs. native security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Decrypt DSA signature ... Java application. ... The Java application passes a signature on the end of the query ... created by the java guys which hold the public key. ... "Upon receiving the message and signature, ... (microsoft.public.dotnet.framework.aspnet.security) Re: Outlook form with vbscript ... Author of Configuring Microsoft Outlook 2003 ... the receiving end is getting an error stating "form cannot be opened". ... However, If I insert my signature into the form, or the signature is ... a way to paste it at the beginning of the message area? ... (microsoft.public.outlook.program_forms) Re: xml-security vs. native security ... you can encode the abstract value in a particular way and ... >> check the signature of that. ... They used to specify that signatures were of the DER encoding of the ... (I may be quite wrong about what the XML security ... (sci.crypt) Re: Size of signatures using RSA and DSA? ... >I am trying to figure out how big RSA and DSA signatures are and how ... a DSA signature ... I've seen tries to encode them fixed length. ... >this normal that a DSA signature is dependent on the data being signed? ... (sci.crypt) Re: [SOLUTION] [QUIZ] Obfuscated Email ... Subject: Obfuscated Email ... displays your email address when run through the Ruby interpreter. ... signature must fit within four lines of no more than 80 characters per ... Same code is used to encode and decode text: ... (comp.lang.ruby)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint