W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2001

Re: Comments/Questions about the XML-Signature spec

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Thu, 31 May 2001 18:25:56 -0400
Message-Id: <4.3.2.7.2.20010531182332.02f095f0@localhost>
To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
Cc: <Erwin.Vanderkoogh@sun.com>, w3c-ietf-xmldsig@w3.org
At 00:00 5/10/2001 -0400, Donald E. Eastlake 3rd wrote:
>From:  Erwin van der Koogh - Sun Ireland - Software developer
> >I think it should be stressed extremely obviously multiple times all over 
> the
> >spec that you still need to verify the key supplied in the KeyInfo. By 
> checking
> >whether the key is from the person who supposedly signed the document and 
> by
> >verifying and trusting one or more signatures on the key.
>
>The XMLDSIG standard is not about trust. It is about the mechanical
>linkage of data to a key.

[ Resulting document
         http://www.w3.org/Signature/Drafts/xmldsig-core/Overview.html


4.4 The KeyInfo Element
... /+However, questions of trust of such key information (e.g., its 
authenticity or  strength) are out of scope of this specification and left 
to the application.+/
]


--
Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
Received on Thursday, 31 May 2001 18:26:06 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:13 GMT