W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2010

Review of the 2010 August 26 draft of Magic Signatures

From: Ed Simon <edsimon@xmlsec.com>
Date: Mon, 20 Sep 2010 18:04:11 -0400
To: XMLSec WG Public List <public-xmlsec@w3.org>
Message-ID: <1285020251.1504.17.camel@XMLSEC-BIZ.phub.net.cable.rogers.com>
I have reviewed the 2010 August 26 draft of Magic Signatures:


Here are my comments as they pertain to XML Signature:

1. Throughout the document, replace "XML-DSig" and its variants with
"XML Signature".

2. In Section 1, there is the line "In the field, XML-DSig has proven to
be problematic in applications such as syndication of feeds.". This
statement requires references and/or explanation so that one knows what
the problems are.

3. Bullet 1 "Can handle any data format; not tied to XML." is, at best,
ambiguous. If taken to suggest that XML Signature can only sign XML
data, then it is false. However, I believe the intention was actually to
say, for example, that "Magic Signatures can be serialized into
arbitrary data formats such XML and JSON." The bullet needs to be
rewritten to remove mis-interpretations.

4. In Section 3, replace "and serialized as either XML or JSON" with
"and serialized into arbitrary data formats such as XML and JSON (these
serializations are profiled within this specification)".

5. Section 3.4 states that "This specification does not define a DTD,
and thus does not require validity (in the sense used by XML)." And then
goes on to detail, in human language, the validation requirements for
the XML-serialized version of Magic Signatures. Indeed, those validation
requirements are basically XML validation as the term is generally used.
Given that Magic Signatures does set rules wrt the data structure of the
XML serialized form, the specification should include an XML Schema or
Relax NG schema that expresses those validation rules in a
machine-readable manner.


Ed Simon, XMLsec Inc.
Received on Monday, 20 September 2010 22:04:50 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:14 UTC