W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 2000

Re: Comments on XML-Signature S&P draft

From: TAMURA Kent <kent@trl.ibm.co.jp>
Date: Tue, 3 Oct 2000 14:37:05 +0900
Message-Id: <200010030537.OAA26802@ns.trl.ibm.com>
To: w3c-ietf-xmldsig@w3.org

In message "Re: Comments on XML-Signature S&P draft"
    on 00/10/02, "Joseph M. Reagle Jr." <reagle@w3.org> writes:
> >3.1 and 3.2
> >   "The REQUIRED steps" is too strong expression.  The order of
> >these steps may be changed.  For example, in 3.2.2,
> >"1. Canonicalize..." and "2. Obtain..." are exchangeable.
> >3.2.1 Reference Validation
> >   Why do we have to canonicalize the SignedInfo before
> >processing References?
> 
> Both of these are the same issue. As we recommend you see what you sign, and 
> the CanonicalizationMethod might tweak the content of SignedInfo, it should 
> be processed and then processed. For instance, say at some point the issue 
> of releative URIs results in a CanonicalizationMethod that rewrites URIs in 
> a novel way, you should apply CanonicalizationMethod first before processing 
> them. This text is there to ensure security, though I expect if understood 
> by implementors it won't result in a big deal. If they know they only 
> support one CanonicalizationMethod, and that Method is safe then they might 
> choose not to do this so as to optimize, but that's their choice and the 
> spec needs to be clear. There's a parenthetical comment in the latest draft, 
> do we need more motivating text?

Ok, I have understood the order of c14n and Reference
processing.  But how about the order of c14n and obtaning a key
(1 and 2 in 3.2.2)?  The SignedInfo has no reference to the
KeyInfo.

-- 
TAMURA Kent @ Tokyo Research Laboratory, IBM
Received on Tuesday, 3 October 2000 01:37:45 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:11 GMT