Re: Indicating certificate order in XML Dig Sig from Frederick.Hirsch@nokia.com on 2011-06-28 (public-xmlsec@w3.org from June 2011)

From: <Frederick.Hirsch@nokia.com>
Date: Tue, 28 Jun 2011 19:43:57 +0000
To: <marcosscaceres@gmail.com>
CC: <Frederick.Hirsch@nokia.com>, <public-xmlsec@w3.org>, <public-webapps@w3.org>, <tlr@w3.org>, <kai.hendry@wacapps.net>, <paddy.byers@gmail.com>
Message-ID: <93E6B89F-892B-4BB3-B4D8-91E5D127F09C@nokia.com>

Marcos

The XML Security WG discussed your proposed addition regarding certificate ordering at our teleconference today [1].

The Working Group does not agree to change the core XML Signature specification as these would not be normative changes to that specification. The XML Signature specification focuses on the details of signing but  as a design choice does not detail generic PKI considerations (or details related to the various KeyInfo materials that have schema places in the specification) [2].

The sense of the Working Group is that a  profile of XML Signature, such as Widget SIgnature would be an appropriate place to note practices or restrictions important to that specification.

However, the XML Security WG does have a non-normative XML Signature Best Practices document [3] and could add material such as this to it, which would probably also make sense. Would you be able to craft language for a best practice (the document uses a format of expressing the issue, a short statement of the practice and then details).

Thanks

regards, Frederick

Frederick Hirsch, Nokia
Chair XML Security WG

For tracker this should complete ACTION-815

[1] http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/att-0058/minutes-2011-06-28.html

[2] http://www.w3.org/TR/2011/CR-xmldsig-core1-20110303/

[3] http://www.w3.org/TR/2010/WD-xmldsig-bestpractices-20100831/

On Jun 27, 2011, at 1:05 PM, ext Marcos Caceres marcosscaceres@gmail.com wrote:

> On Mon, Jun 20, 2011 at 3:21 PM, Cantor, Scott E. <cantor.2@osu.edu> wrote:
>> On 6/20/11 8:37 AM, "Marcos Caceres" <marcosscaceres@gmail.com> wrote:
>>> Is there some means to explicitly indicate the order in which
>>> certificates in an xml dig sig file should be processed? The problem
>>> is that if you screw up the certificate order in the xml file, the
>>> validator (e.g,. xmlsec) does not know which cert is the end-entity.
>> 
>> BP is EE first, the rest after (and technically the order of the rest
>> isn't supposed to matter).
> 
> Can I get an assurance from the XML Sec working group that a
> non-normative note will be added to the XML Dig Sig specification wrt
> to this best practice? Please consider this comment implementer
> feedback on the CR.
> 
> -- 
> Marcos Caceres
> http://datadriven.com.au

Received on Tuesday, 28 June 2011 19:44:30 UTC