- From: Harada <harada@prs.cs.fujitsu.co.jp>
- Date: Wed, 3 Oct 2001 11:48:49 +0900
- To: "TAMURA Kent" <kent@trl.ibm.co.jp>, <w3c-ietf-xmldsig@w3.org>, <toriumi@sysrap.cs.fujitsu.co.jp>
Hi TAMURA, I agree with you at the point of not using X509CRLs in verifying. But I don't agree with you on the KeyValue element. I think whether a KeyValue is trusted or not is decided by a system, but not by a processor. So our XML signature processor rises an error event like SAX, if a SignedInfo-verifying X509Certificate is not or is not trusted. When it's NG as Signature , we throw an fatal Exception. ----- Original Message ----- From: "TAMURA Kent" <kent@trl.ibm.co.jp> To: <harada@prs.cs.fujitsu.co.jp>; <w3c-ietf-xmldsig@w3.org>; <toriumi@sysrap.cs.fujitsu.co.jp> Sent: Tuesday, October 02, 2001 4:59 PM Subject: Re: Fw: Re:Call for Review: XML Digital Signature is a W3C Proposed Recommendation > > In message "Fw: Re:Call for Review: XML Digital Signature is a W3C Proposed Recommendation" > on 01/09/18, "Harada" <harada@prs.cs.fujitsu.co.jp> writes: > > In verifying, do you use X509CRLs which is created before verifying? > > X.509 CRL has information about "updated date" and "next update > date". So we can assume the CRL attached to a signature is the > latest until "next update date". > > In my opinion, we would use neither X509CRL elements nor > KeyValue elements with signatures in practical systems. > X509CRLs with signatures might be old, and we should not trust > key information not in X.509 certificates. A signature should > have an X.509 certificate or a key name, and verifier retrieve > CRL from a local XKMS service. > > -- > TAMURA Kent @ Tokyo Research Laboratory, IBM > > >
Received on Tuesday, 2 October 2001 22:47:43 UTC