W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

Comments on XML-Signature S&P draft

From: TAMURA Kent <kent@trl.ibm.co.jp>
Date: Fri, 29 Sep 2000 10:26:59 +0900
Message-Id: <200009290127.KAA26690@ns.trl.ibm.com>
To: w3c-ietf-xmldsig@w3.org

Members of my group read the latest Canonical XML [1] and the
latest XML Signature [2].  The following are comments on [2]
from members.

[1] http://www.w3.org/TR/2000/WD-xml-c14n-20000907
[2] http://www.w3.org/TR/2000/WD-xmldsig-core-20000918/


1.3 Versions, Namespaces and Identifiers
	XSLT is identified and defined by an external namespace 
		http://www.w3.org/TR/1999/PR-xslt-19991008 
should be:
	XSLT is identified and defined by an external URI(?)
		http://www.w3.org/TR/1999/REC-xslt-19991116 


2.2 Extended Example (Object and SignatureProperty)
o The first paragraph, the second sentence from the botom
	the SignatureProperty element.
should be:
	the <code>SignatureProperty</code> element.


2.3 Extended Example (Object and Manifest)
o The last example
   [m13]     </Reference>
   [m14] </Object>
should be:
   [m13]     </Reference>
   [m14]   </Manifest>
   [m15] </Object>


3.1 and 3.2
  "The REQUIRED steps" is too strong expression.  The order of
these steps may be changed.  For example, in 3.2.2,
"1. Canonicalize..." and "2. Obtain..." are exchangeable.


3.2.1 Reference Validation
  Why do we have to canonicalize the SignedInfo before
processing References?


4.3.3.1 The URI Attribute
o the last paragraph
	S<code>ignatureProperties</code>
shoud be:
	<code>SignatureProperties</code>


4.3.3.2 The Reference Processing Model
o the first item in the first list after the second paragraph
	If the data object is a set of octets and ...
should be:
	If the data object is an octet stream and ...

o the first exapmle of URI examples
	URI="http://example.com/bar.xml"
		Identifies the octets that represent the
		(unparsed) external XML resource 'http://example.com/bar.xml'.
The suffix of the URI is ".xml", but signature applications must
not suppose the URI identifies an XML document and it need not
see media type of this resource.  So, it should be:
		Identifies the octets that represent the
		external resource 'http://example.com/bar.xml',
		that is probably XML document.

o the third example, URI=""
  Add a note that comment nodes are omitted.  It is difficult to
understand whether comment nodes are ommited or not in each
case....

o the fourth example, URI="#chapter1", the second sentence
	signature applications ...
should be:
	Signature applications ...


4.4 The KeyInfo Element
o the third paragraph
	... by this specification; these can used ...
should be:
	... by this specification; these can be used ...


4.4.3 The RetrievalMethod Element
o the second paragraph and Schema/DTD definition
  The second paragraph says "Type is an optional identifier",
but the Schema/DTD declare the Type attribute is required.


o DTD 
	<!ATTLIST Type
should be:
	<!ATTLIST RetrievalMethod


4.4.4 The X509Data Element
  The specification does not describe how to include certificate
chain though certificate chain is used in the example.  In the
example, how does a signature application know which certificate
has a key to verify the signature?


-- 
TAMURA Kent @ Tokyo Research Laboratory, IBM
Received on Thursday, 28 September 2000 21:27:34 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:11 GMT