W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

Re: AW: Errors and Questions

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Thu, 27 Jul 2000 18:52:37 -0400
Message-Id: <3.0.5.32.20000727185237.0135ebe8@localhost>
To: "Gregor Karlinger" <gregor.karlinger@iaik.at>
Cc: "Gregor Karlinger" <gregor.karlinger@iaik.at>, "XML" <w3c-ietf-xmldsig@w3.org>
At 09:44 7/27/2000 +0200, Gregor Karlinger wrote:
 >Correctly, it should look like:
 >
 >  (<Reference (URI=)? >
 >    (Transforms)?
 >    (DigestMethod)
 >    (DigestValue)
 >  </Reference>)+

ahh... I call those parentheses (wasn't sure if bracket meant [ ;)!)

 >>  > [GK9]Only correct for values created with methods
 >>  >specified by XML-Signature standard
 ...
 >I am OK with the current datatype definition, but currently it is
 >contradicting
 >with the explanation of section 4.2:
 >
 ...
 >I suggest to tweak the text as follows:
 >
 >  While we specify a mandatory and optional to implement SignatureMethod
 >algorithms,
 >  user specified algorithms are permitted. Both algorithms specified by
this
 >  specification and user specified ones MUST use Base64 [MIME] as their
 >encoding
 >  method.

Changed.

 >>  > [GK11]Why is it always base64 encoded? I suggest the
 >>  >same mechanism as with SignatureValue, i. e. the encoding (if any) is
 >> determined by the DigestMethod.
 >>
 >> Do you mean there is an attribute in DigestMethod, or that it is
 >> an implicit
 >> parameter? (Please include complete proposal.)
 >
 >Now, with my suggested new text for [GK10], my remark [GK11] gets obsolete.
 >Both SignatureValues and DigestValues shall be Base64 encoded in any case.

Ok.

 >>  > [GK20]Only a single certificate possible here?
 >>
 >> ?
 >
 >The first sentence in section 4.4.4. reads:
 >
 >  An X509Data element within KeyInfo contains one or more identifiers
 >  of keys/X509 certificates that may be useful for validation.
 >
 >It says "one or more X509 certificates" in a X509Data element, which
 >seems reasonable, since I can include a whole certificate chain and
 >not only one EE certificate. But the grammar (now, in your latest
 >editorial copy both Schema and DTD) only allow for a single certificate.

Addressed in other email, Barb said limited to 1.

 >>  > [GK22]Content Model is different from that in the
 >>  >Schema Definition
 >>
 >> Based on previous comment Editors' copy reads:
 >>
 >>    <!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName)+ |
 >>                       X509Certificate | X509CRL)>
 >
 >See also my comment on [GK20] above.

Given you only have one cert, I think this is ok, right?

 >>  > [GK26]Why is there still this superfluous
 >http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000AprJun/0188.html
 >   >If we make this restriction (I do not see an argument against it), I
 >   >to reject the SignatureProperties element at all, since it only works
as
 >   >an additional "container" level between Object and SignatureProperty,
 >   >nothing else.
 
Right, I agreed it is superflous and wanted to see if anyone else opposed
it's removal. I will confirm next week at the FTF.



_________________________________________________________
Joseph Reagle Jr.   
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/
Received on Thursday, 27 July 2000 18:53:29 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:10 GMT