On Fri 2008-06-06T15:50:09 -0700, Rob Seaman hath writ:
> Is there some reason,
> however, that PGP can't be used to sign a canonical XML packet? What
> are the strengths and weaknesses of that notion?
I may be wrong, but of the components in W3C Signature, I got the impression that the canonicalization algorithms are far more complex than the signing ones.
In W3C Signature, the XML that is shipped can remain in the original format, which may be nicely arranged for humans to read. The canonicalization is all done transiently, and internally to the tools, and in a way that communicates what form of canonicalization was done to the recipient.
If PGP were to be used then the original VOEvent would have to be canonicalized, presented to PGP, and then a new scheme invented to keep the association between VOEvent, canonicalization algorithm, and signature. That's either using or reinventing the harder component of W3C Signature and then inventing more technology.
-- Steve Allen <sla-at-ucolick.org> WGS-84 (GPS) UCO/Lick Observatory Natural Sciences II, Room 165 Lat +36.99855 University of California Voice: +1 831 459 3046 Lng -122.06015 Santa Cruz, CA 95064 http://www.ucolick.org/~sla/ Hgt +250 mReceived on 2008-06-07Z01:54:03