RE: XML Signature Recommendations Reference to FIPS 186-2 Now Broken from John Boyer on 2002-10-21 (w3c-ietf-xmldsig@w3.org from October to December 2002)

From: John Boyer <JBoyer@PureEdge.com>
Date: Mon, 21 Oct 2002 11:39:47 -0700
To: <reagle@w3.org>, "XML Signature" <w3c-ietf-xmldsig@w3.org>
Cc: <chairs@w3.org>
Message-ID: <7874BFCCD289A645B5CE3935769F0B52452765@tigger.pureedge.com>

Gee, I guess it's a good thing we didn't sign the XML Signature Recommendation with a signature that includes references to its references.

If some data is important to the interpretation of a document, a copy of it must be included within the document to prevent these volatile URIs from breaking signatures unexpectedly.

That being said, if there were a reference-based signature over the XML Signature Recommendation, then the least attractive alternative (#2, Let it be) would be the only alternative.  I would think that such a signature would be less likely to break if the errata were changed than if the FIPS document were reinstated with a deprecation message.  So, the most desirable solution (#1, Reinstate with obsolete message) is the worst in terms of signatures-- fate, it seems, is not without a sense of irony.

John Boyer, Ph.D.
Senior Product Architect
PureEdge Solutions Inc.


-----Original Message-----
From: Joseph Reagle [mailto:reagle@w3.org]
Sent: Monday, October 21, 2002 11:23 AM
To: XML Signature
Cc: chairs@w3.org; FIPS186@nist.gov
Subject: XML Signature Recommendations Reference to FIPS 186-2 Now
Broken




Someone recently pointed out to me that the W3C XML Signature Recommendation 
contains the following references, which contains a location that no longer 
works:

DSS
  FIPS PUB 186-2 . Digital Signature Standard (DSS). U.S. Department
  of Commerce/National Institute of Standards and Technology.
  http://csrc.nist.gov/publications/fips/fips186-2/fips186-2.pdf

It appears that in October 2001 FIPS186-2 was updated with an appendix that 
contains some constraints and recommendations with respect to security 
concerns:
  http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf

However, the XML Signature Recommendation was published in February of 2002. 
I know the original link worked at that time. I don't know when the 
original specification was removed, what NIST's 
obsoletion/deprecation/revision policy is, nor what the removal means 
except that we now have a bad reference.

What do people think? Should we:
1. Ask NIST to maintain the URI, but update it saying that that version is 
obsoleted by a new revision?
2. Let it be?
3.. Add an erratum to our own specification?

-- 
Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

Received on Monday, 21 October 2002 14:53:41 UTC