W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: Indicating certificate order in XML Dig Sig

From: <Frederick.Hirsch@nokia.com>
Date: Wed, 29 Jun 2011 15:55:34 +0000
To: <marcosscaceres@gmail.com>
CC: <Frederick.Hirsch@nokia.com>, <public-xmlsec@w3.org>, <public-webapps@w3.org>, <tlr@w3.org>, <kai.hendry@wacapps.net>, <paddy.byers@gmail.com>
Message-ID: <A01B3E06-B999-46C9-BB3E-D478E541B5B2@nokia.com>
Marcos

It also occurred to me that we should have a link to the Best Practices document from XML Signature, so people are aware of it.
Thanks for the excellent suggestion. We will follow up on this in the XML Security WG.

regards, Frederick

Frederick Hirsch
Nokia



On Jun 28, 2011, at 6:16 PM, ext Marcos Caceres wrote:

> HI Fredrick, XML Sec WG,
> 
> On Tue, Jun 28, 2011 at 8:43 PM,  <Frederick.Hirsch@nokia.com> wrote:
>> Marcos
>> 
>> The XML Security WG discussed your proposed addition regarding certificate ordering at our teleconference today [1].
>> 
>> The Working Group does not agree to change the core XML Signature specification as these would not be normative changes to that specification. The XML Signature specification focuses on the details of signing but  as a design choice does not detail generic PKI considerations (or details related to the various KeyInfo materials that have schema places in the specification) [2].
>> 
> 
> Understood.
> 
>> The sense of the Working Group is that a  profile of XML Signature, such as Widget SIgnature would be an appropriate place to note practices or restrictions important to that specification.
>> 
> 
> I will add this non-normative note to the Widget Signature specification.
> 
>> However, the XML Security WG does have a non-normative XML Signature Best Practices document [3] and could add material such as this to it, which would probably also make sense. Would you be able to craft language for a best practice (the document uses a format of expressing the issue, a short statement of the practice and then details).
>> 
> 
> I'd be happy to proposed some text. I'll just send you whatever ends
> up in the Widget Sig specification.
> 
> Additionally, it is great that the XML Security Working Group has
> created a best practices document. I would encourage the Working Group
> to link to the best practices from the Introduction of the
> specification or as a non-normative reference. Or add it under the
> Editors as a link in the header of the document, so it can be quickly
> and easily found.
> 
> Again, I speak from having dealt with numerous (~7) companies trying
> to implement XML Dig Sig 1.1 + the Widgets Signature spec. There is *a
> lot* of confusion about this stuff out there and a lot of frustration
> because its super hard to find any useful guidance or information
> easily.
> 
> I urge the working group, please: this is a pretty good technology and
> it's not that hard to use once you understand what is going on. The
> more guidance this working group can provide, the better. I'll do my
> bit on the Widget Dig Sig side, but you guys also have a
> responsibility to make XML Dig Sigs a pleasant experience to use (from
> a specification, implementation, and author perspective). At least
> linking to the best practices guide from the spec is a step in the
> right direction, even if you don't include a non-normative note about
> it.
> 
> Kind regards,
> Marcos
> -- 
> Marcos Caceres
> http://datadriven.com.au
Received on Wednesday, 29 June 2011 15:56:16 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:45 GMT