W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2003

Re: X509 data element

From: Rich Salz <rsalz@datapower.com>
Date: Wed, 05 Feb 2003 13:33:17 -0500
Message-ID: <3E4158ED.9040303@datapower.com>
To: Joseph Swaminathan <jswamina@cisco.com>
CC: Tom Gindin <tgindin@us.ibm.com>, w3c-ietf-xmldsig@w3.org 

>         My question is, if there is a content in the XML document we
> cannot trust, then shouldnt we, not use it for any purpose. What
> situation a data which can't be trusted be useful.

Signature validation might be performed by a third-party service that 
has no knowledge of the signer identities; separating authentication 
from authorization.  Perhaps it might help if you think of validation as 
a tri-state: trusted, untrusted, and indeterminate.


<example removed>

Your example can be summarized like this:  the organization is using 
unsigned data in its operations, and that can be hacked.  I agree.  But 
that's irrelevant here.

	/r$
Received on Wednesday, 5 February 2003 13:40:04 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:16 GMT