W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 2000

Re: Comments on XML-Signature S&P draft

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Wed, 11 Oct 2000 16:09:18 -0400
Message-Id: <4.3.2.7.2.20001011160405.03478ef8@rpcp.mit.edu>
To: TAMURA Kent <kent@trl.ibm.co.jp>
Cc: w3c-ietf-xmldsig@w3.org
At 17:28 10/6/2000 +0900, TAMURA Kent wrote:
>But my question was that the order of canonicalizing SignedInfo
>(3.2.2 1) and obtaining the key (3.2.2 2) was really REQUIRED?

Ok, the text reads as below. However, I still have a question about the 
requirements over KeyInfo. If KeyInfo is provided and it doesn't contain a 
key that validates the Signature, but another Key can be found that does, is 
the signature valid? Basically, is the "or" in "keying information from 
KeyInfo or from an external source" is exlusive, or a "and/or".


3.2.2 Signature Validation

1. Obtain the keying information from KeyInfo or from an external source.
2. Obtain the canonical form of the SignatureMethod using  the 
CanonicalizationMethod and use the result (and previously obtained KeyInfo) 
to validate the SignatureValue over the SignedInfo element.

Note, KeyInfo (or some transformed version thereof) may be signed via a 
Reference element. Validation of this reference (3.2.1) is orthogonal to 
Signature Validation which uses the KeyInfo as parsed.

Additionally, the SignatureMethod URI may have been altered by the 
canonicalization of SignedInfo (e.g., absolutization of relative URIs) and 
it is the canonical form that MUST be used. However, the required 
canonicalization [XML-C14N] of this specification does not change URIs.

__
Joseph Reagle Jr.
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/
Received on Wednesday, 11 October 2000 16:09:41 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:11 GMT