Re: [DotGNU]pnetlib and the VRS, SEE and other server concepts

[Jonathan P Springer]

On Wed, Mar 20, 2002 at 12:20:29PM +0000, Chris Smith wrote:
> On Wednesday 20 March 2002 11:06, Norbert Bollow wrote:
> 
... snip ...
> > XML is the de-facto standard, although for bigger payloads I
> > think it would make a lot of sense to use compressed XML.
> > Depending on the context, the compressed XML should possibly
> > also be encrypted, and it should be possible to add a digital
> > signature to the encrypted compressed XML.
> 
> This is why I like SOAP with attachments.  The SOAP envelope just contains 
> references to the XML payloads 'attached' to the message.  The SOAP bit is 
> just an index to the rest of the message.
> It makes scanning, routing and re-packaging very easy, with very low CPU 
> consumption.  The attachments may ( I assume - don't quote me!) be compressed 
> and encrypted as they're prefixed with the standard Content-Type: header, so 
> whatever decides to extract a particular attachment will know what to do with 
> it to get back to XML.
> Nice.
> I'm designing the XML gateway for a big Government branch at the moment, and 
> am going to use SOAP with attachments to make Life Easy!
> 
> > I'd propose using the OpenPGP format and code from GnuPG for
> > these things.
> 
> I've been using openSSL for these things as it comes with a complete set of 
> encryption libraries - what does openPGP use?
> 
... snip ...

W3C recently published XML Signature, XML Encryption, and XML Key
Management specs in various levels of completeness.  I haven't read them
yet, but anyone working seriously on this aspect of the project should.

On the library notes, my research is 6 months old, but when I did in
GnuPG did not implement any "library" interface; all access to it was
done by 'exec' ing various aspects of the command line.  This is not
necessarily a Bad Thing, just something to keep in mine -- one must
either fork the code and implement a library-ish interface, or be
prepared for dealing with a CLI interface.

OpenSSL, otoh, has nice interfaces but comes with a plethora of patent-
and inane-legal-(thank-you-US-goverment)- management issues as well as
the BSD license, which AFAIK, has been labelled "incompatible" with GPL.
(Don't ask me why -- the last time I tried to explain on a different
list, a large flame war resulted.)

I'll refrain from designing this blind; I just wanted to be sure these
facts were generally available (or refuted).

Cheers,
-js

--
-Jonathan P Springer <address@hidden>
------------------------------------------------------------------------------
"A standard is an arbitrary solution to a recurring problem." - Joe Hazen