[xmlsec] PGP and XML Signature
john at neggie.net
Sat May 29 19:01:36 PDT 2004
Aleksey, perhaps you or some xmlsec users may be interested in this story.
I originally became interested in the xmlsec library because I thought
I'd be using it for a certain project. In the meantime, I was trying to
become a Debian developer, and Aleksey impressed me as an amiable
upstream author, so I selected xmlsec for my first attempt at packaging
software for Debian.
As it turns out, the project I was working on didn't use xmlsec. Partly
this was because we were using Python for everything, and there was no
Python binding for xmlsec at the time. The other reason is that our
system uses PGP cryptography for all identities. Even if xmlsec was
expanded to implement the PGP portions of XML Signature, which Aleksey
encouraged, the fact is that the XML Signature support for PGP is
severely limited. So my partner ended up writing an XML Signature
implementation in Python, supporting only the PGP key type augmented
with a few customizations.
As far as the implementation, we used a command-line interface to gnupg.
This allowed us to circumvent some licensing issues, and in fact our
Python library is released under an MIT license, just like xmlsec. We
added two customizations to the base XML Signature spec. I'm just a
layman, but from my understanding, one is a new element for KeyInfo
which is a full 160-bit PGP fingerprint. (The XML Signature spec had
only allowed for the shorter PGP ID, which is much more susceptible to
collisions, or a full PGP key packet, which can be very large for a key
with many signatures.) The other customization was a new
SignatureMethod algorithm, allowing the SignatureValue to be a complete
So that is my story. If anyone would like to see what one of these
signatures looks like, there is an example in the document at
I still hope that someday the xmlsec library will support PGP key types,
perhaps even with our extensions.
http://giftfile.org/ :: giftfile project
More information about the xmlsec