[CAP] Then Again... (was Re: CAP SecurityUsingDigitalSignatures)
Art Botterell
acb at incident.com
Thu Mar 12 16:43:22 PDT 2009
On Mar 12, 2009, at 3/12/09 4:16 PM, Russo CTR Brian T wrote:
> It just strikes me as absurd and incredibly klunky.
I don't disagree... and if folks out there have confidence that the
current crop of XMLSIG tools can canonicalize and verify successfully,
then we can move ahead with smiles on our faces. I just kept hearing
horror stories of folks crying "Run away!" because they got frustrated
by C14N's brittleness and couldn't get past it to the benefits of D-
SIGs.
Then again... once an alert has been verified on receipt, I'm not sure
there's always a lot of need for the signature to persist in a local
data structure... not unless the node plans to archive or forward it,
in which cases it would simply retain a full copy of the original
instead of just the signature. Not entirely elegant, but not a
crushing burden, either... particularly not if the alternative doesn't
work!
Anyway, the reason I suggested a "null" canonicalization was so we
could plug in other C14N schemes later without putting an unstable
component on the critical path to success.
But if that's not necessary, by all means let's not do it that way!
- Art
More information about the CAP-list
mailing list