- From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
- Date: Wed, 25 Feb 2009 18:10:51 -0500
- To: ext Thomas Roessler <tlr@w3.org>
- Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>, "public-webapps@w3.org WG" <public-webapps@w3.org>
ok thanks, good to be clear. I'll go ahead and make the change. regards, Frederick Frederick Hirsch Nokia On Feb 25, 2009, at 5:59 PM, ext Thomas Roessler wrote: > I was not suggesting that we should mandate X509Data (or anything like > it). > > The point I was getting at was, that along with our using of X509 > certificates, people really ought to use basic path validation as > specified in 5280 -- no matter where the certificate comes from. I > think your change is fine. > -- > Thomas Roessler, W3C <tlr@w3.org> > > > > > > > > On 25 Feb 2009, at 23:55, Frederick Hirsch wrote: > >> Thanks for the proposal Thomas. >> >> This proposal requiring Basic Path Validation seems to conflict with >> X509Data being optional, the current language that I think we >> discussed during the meeting: >> >> Generation: >> 5c) The ds:KeyInfo element MAY be included and MAY include >> certificate, CRL and/or OCSP information. If so, it MUST be >> compliant with the[XMLDSIG11] specification. If certificates are >> used they MUST conform to the mandatory certificate format. >> >> Validation: >> If a ds:KeyInfo element is present then it MUST conform to the >> [XMLDSIG11]specification. If present then any certificate chain >> SHOULD be validated and any CRL or OCSP information may be used as >> appropriate [RFC5280].. >> >> I suggest we could also adopt your text by changing the final >> sentence above to >> >> If present then user agents MUST perform Basic Path >> Validation [RFC 5280] on the signing key and SHOULD perform >> revocation checking as appropriate. The set of acceptable >> trust anchors, and policy decisions based on the signer's identity >> are established through a security-critical out-of-band mechanism. >> >> Question: >> Should re require use of X509Data to convey certificates? >> >> I was suggesting not, since this could be conveyed out of band and >> it might not always be appropriate to include in every signature. >> >> Thoughts on this one? >> >> regards, Frederick >> >> Frederick Hirsch >> Nokia >> >> >> >> On Feb 25, 2009, at 9:23 AM, ext Thomas Roessler wrote: >> >>> I propose that we add te following text in the beginning of 6.2: >>> >>>> The validation procedure given in this section describes extensions >>>> to XML Signature Core Validation. In addition to the steps defined >>>> in these two specifications, user agents MUST perform Basic Path >>>> Validation [RFC 5280] on the signing key. The set of acceptable >>>> trust anchors, and policy decisions based on the signer's identity >>>> are established through a security-cirtical out-of-band mechanism. >>> >>> (If somebody can think of something nicer to say, that's fine as >>> well. Note that the Basic Path Validation requirement isn't really >>> new -- it's implicit to our use of X.509, if done properly. >>> Nevertheless, worth calling out properly.) >>> >>> -- >>> Thomas Roessler, W3C <tlr@w3.org> >>> >>> >>> >>> >>> >>> >>> >>> >> >
Received on Wednesday, 25 February 2009 23:11:38 UTC