W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2002

CRL in DSig interop test set

From: Ari Kermaier <arik@phaos.com>
Date: Fri, 19 Apr 2002 15:14:59 -0400
Message-Id: <5.1.0.14.2.20020419145847.030674e0@verio.phaos.com>
To: w3c-ietf-xmldsig@w3.org
Dear All,

In the new interop test set, merlin-xmldsig-twenty-three, there is one test 
signature that troubles me a little. The one called 
signature-x509-crt-crl.xml implies signature validation processing that 
isn't really described by the specification. It's all well and good that 
the X509Data element can be used to transport a CRL. However, actually 
using the CRL should be part of certificate path validation, rather than 
signature validation per se. I mean, we might as well be testing whether 
DSig implementations can correctly parse an AuthorityInfoAccess extension 
in the certificate and execute an OCSP lookup based on the contents. So, 
IMHO, deciding to check a certificate against a CRL is application-specific 
functionality that shouldn't really be introduced into interop testing for 
the DSig spec in general.

Cheers,

Ari


Ari Kermaier    arik@phaos.com
Senior Software Engineer
Phaos Technology Corp.    http://www.phaos.com/
Received on Friday, 19 April 2002 15:13:14 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:15 GMT