Re: Comments on XML-Signature S&P draft from TAMURA Kent on 2000-10-06 (w3c-ietf-xmldsig@w3.org from October to December 2000)

From: TAMURA Kent <kent@trl.ibm.co.jp>
Date: Fri, 6 Oct 2000 17:28:46 +0900
To: w3c-ietf-xmldsig@w3.org
Message-Id: <200010060828.RAA39848@ns.trl.ibm.com>

In message "Re: Comments on XML-Signature S&P draft"
    on 00/10/05, "Joseph M. Reagle Jr." <reagle@w3.org> writes:
> Forget about KeyInfo for the time being.
> 
> In order for applications to do signature validation (3.2.2) it must use the 
> specified SignatureMethod algorithm identifier. Since that is part of 
> SignedInfo, and SignedInfo is potentially altered by CanonicalizeMethod 
> before it is signed, signature validation should see the canonicalized form 
> of the SignatureMethod algorithm identifier.

Yes, that's right.

But my question was that the order of canonicalizing SignedInfo
(3.2.2 1) and obtaining the key (3.2.2 2) was really REQUIRED?

-- 
TAMURA Kent @ Tokyo Research Laboratory, IBM

Received on Friday, 6 October 2000 06:05:52 UTC