[xmlsec] PGP and XML Signature

John Belmonte john at neggie.net
Sat May 29 19:01:36 PDT 2004


Hello,

Aleksey, perhaps you or some xmlsec users may be interested in this story.

I originally became interested in the xmlsec library because I thought 
I'd be using it for a certain project.  In the meantime, I was trying to 
become a Debian developer, and Aleksey impressed me as an amiable 
upstream author, so I selected xmlsec for my first attempt at packaging 
software for Debian.

As it turns out, the project I was working on didn't use xmlsec.  Partly 
this was because we were using Python for everything, and there was no 
Python binding for xmlsec at the time.  The other reason is that our 
system uses PGP cryptography for all identities.  Even if xmlsec was 
expanded to implement the PGP portions of XML Signature, which Aleksey 
encouraged, the fact is that the XML Signature support for PGP is 
severely limited.  So my partner ended up writing an XML Signature 
implementation in Python, supporting only the PGP key type augmented 
with a few customizations.

As far as the implementation, we used a command-line interface to gnupg. 
  This allowed us to circumvent some licensing issues, and in fact our 
Python library is released under an MIT license, just like xmlsec.  We 
added two customizations to the base XML Signature spec.  I'm just a 
layman, but from my understanding, one is a new element for KeyInfo 
which is a full 160-bit PGP fingerprint.  (The XML Signature spec had 
only allowed for the shorter PGP ID, which is much more susceptible to 
collisions, or a full PGP key packet, which can be very large for a key 
with many signatures.)  The other customization was a new 
SignatureMethod algorithm, allowing the SignatureValue to be a complete 
PGP signature.

So that is my story.  If anyone would like to see what one of these 
signatures looks like, there is an example in the document at 
<http://giftfile.org/documents/certificate_synopsis>.

I still hope that someday the xmlsec library will support PGP key types, 
perhaps even with our extensions.

Regards,
-John

-- 
http://giftfile.org/  ::  giftfile project


More information about the xmlsec mailing list