W3C home > Mailing lists > Public > public-xmlsec@w3.org > March 2009

ACTION-237: questions to address with Signature 2.0 proposal

From: Scott Cantor <cantor.2@osu.edu>
Date: Sun, 22 Mar 2009 16:12:15 -0400
To: "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Message-ID: <00be01c9ab2a$7eb99f00$7c2cdd00$@2@osu.edu>
Here's a list of a few questions to (hopefully) stimulate the
decision-making process:

- Do the advantages of the proposed redesign outweigh the cost of creating a
significantly different 2.0 specification?

I think the answer to this is yes, because it addresses two issues that I
have major difficulty with today: implementations in more languages, and
improving the ability to understand what's been signed. Streaming is also
addressed.

However, there would seem to be a trade-off against existing implementations
to be weighed.

- Are there use cases precluded by this suggested redesign, and are those
use cases important?

I'm not best positioned to figure out what's missing at this point, but I
think as proposed it's suggesting that the Transforms option would be
limited. But since one of those Transforms is still XSLT, I'm not clear on
whether anything is actually being limited here in practice.

- Is the need for Transforms limited to XSLT and Decryption?

If so, is keeping even those justified? Can't XSLT be made a workflow issue
by signing both a source document and the transform to apply?

- Is the extension model sufficient? Necessary?

It appears that the extension model in this proposal would depend more on
source-level reuse and would require much more careful code design than with
the pluggability/pipeline model of the current spec. This suggests to me
that extensions would be even less likely than currently, but in my
experience the likelihood now is extremely low anyway because of concerns
over interoperability.

-- Scott
Received on Sunday, 22 March 2009 20:12:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:57 GMT