- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Thu, 31 May 2001 18:25:56 -0400
- To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
- Cc: <Erwin.Vanderkoogh@sun.com>, w3c-ietf-xmldsig@w3.org
At 00:00 5/10/2001 -0400, Donald E. Eastlake 3rd wrote:
>From: Erwin van der Koogh - Sun Ireland - Software developer
> >I think it should be stressed extremely obviously multiple times all over
> the
> >spec that you still need to verify the key supplied in the KeyInfo. By
> checking
> >whether the key is from the person who supposedly signed the document and
> by
> >verifying and trusting one or more signatures on the key.
>
>The XMLDSIG standard is not about trust. It is about the mechanical
>linkage of data to a key.
[ Resulting document
http://www.w3.org/Signature/Drafts/xmldsig-core/Overview.html
4.4 The KeyInfo Element
... /+However, questions of trust of such key information (e.g., its
authenticity or strength) are out of scope of this specification and left
to the application.+/
]
--
Joseph Reagle Jr. http://www.w3.org/People/Reagle/
W3C Policy Analyst mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature
W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
Received on Thursday, 31 May 2001 18:26:06 UTC