W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 1999

RE: I have a couple of comments for your draft.

From: Richard D. Brown <rdbrown@Globeset.com>
Date: Thu, 8 Jul 1999 09:59:48 -0500
To: "'Yoshiaki KAWATSURA'" <kawatura@bisd.hitachi.co.jp>
Cc: <w3c-ietf-xmldsig@w3.org>
Message-ID: <003501bec952$86e9e7d0$0bc0010a@artemis.globeset.com>
Yoshiaki,

Thanks for your comments. I have a few comments on my own WRT your
proposals:

(1) I tend to agree that we should propose a series of elements to qualify
Recipient and Originator. For now, I have proposed the IssuerAndSerialNumber
and the Identifier elements. This pair appeared to be the minimum to enable
support for X509 certificate-based and account-based identification.

However, I disagree with the statement "XML Signature Module does not depend
on any specific application." In fact, the current trend is to move
signature verification and user authorization closer to the application
layer. Though verification of the signature value is very mechanical,
identification of the signer and retrieval of the signer's public-key can be
very application-specific.

(2) I think that your proposal is too restrictive and potentially increases
the risk of "ID Conflict" when manipulating composite documents. Identifying
the signer's certificate by means of an IDREF in the OriginatorInfo implies
that the document always embeds a Certificate element that indicates the
location or the value of the certificate. But there are circumstances when
the relying party is already provided with a copy of the certificates that
it trusts (i.e. account-based operation using certificates) or has its own
trusted way to retrieve certificates (delegation to a trusted third-party).
In such circumstances, the relying party only expects a unique and
unambiguous reference to the signer's certificate (i.e.
IssuerAndSerialNumber for X509 certificates).

Sincerely,

Richard D. Brown
Software Architect - R&D
Globeset, Inc. Austin, TX - U.S.


> -----Original Message-----
> From: Yoshiaki KAWATSURA [mailto:kawatura@ecd.bisd.hitachi.co.jp]On
> Behalf Of Yoshiaki KAWATSURA
> Sent: Thursday, July 08, 1999 3:32 AM
> To: rdbrown@Globeset.com
> Cc: kawatura@bisd.hitachi.co.jp
> Subject: I have a couple of comments for your draft.
>
>
> Hello, Richard,
> I have a couple of comments for your draft.
>
> (1):
> I think the XML Signature Module does not depend on the any specific
> application (such as IOTP) because XML Signature is one of the common
> XML frameworks(infrastructures).  On the above assumption, I am
> concerned that some XML Signature Modules may do different behaviors
> if we do not clearly specify the elements in the OriginatorInfo and
> ReceipientInfo component. I am fine with ANY basically but we should
> describe the what we can define in these components.  What do you
> think about this?
>
> (2):
> About #98121501 in the XMLDSIG
> I also think that IssuerAndSerialNumber is too restrictive so
> I suggest that
> Old:
>    <!ELEMENT dsig:Certificate (
>       dsig:IssuerAndSerialNumber,
>        ( dsig:Value | dsig:Locator )
>    )>
>
>    <!ATTLIST dsig:Certificate
>        xmlns:dsig        CDATA        #FIXED    %xmldsig.dtd;
>        type              NMTOKEN      #REQUIRED
>    >
> New:
>    <!ELEMENT dsig:Certificate (
>        ( dsig:Value | dsig:Locator )
>    )>
>
>    <!ATTLIST dsig:Certificate
>        xmlns:dsig        CDATA        #FIXED    %xmldsig.dtd;
>        id                ID           #REQUIRED
>        type              NMTOKEN      #REQUIRED
>    >
>
> And,
>
> Old:
>            <dsig:OriginatorInfo>
>              <dsig:IssuerAndSerialNumber
>                    issuer='o=GlobeSet Inc., c=US'
>                    number='123456789102356'/>
>            </dsig:OriginatorInfo>
>
> New:
>            <dsig:OriginatorInfo>
>              <dsig:Attribute
>                    type='urn:xml-dsig-ietf-org:certificate-ref'>
>      <dsig:Identifier value='value of id element in
> Cerfiticate Component'\>
>            </dsig:OriginatorInfo>
>
>
>
>
> P.S. I will attend to the XMLDSIG WG in the IETF Oslo meeting. I am
> looking forward to see you if you have a plan to go to Oslo.
>
> --
> Yoshiaki Kawatsura   Hitachi, Ltd.
>
Received on Thursday, 8 July 1999 11:00:06 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:06 GMT