Re: Indicating certificate order in XML Dig Sig from Marcos Caceres on 2011-06-28 (public-webapps@w3.org from April to June 2011)

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Tue, 28 Jun 2011 23:16:38 +0100
To: Frederick.Hirsch@nokia.com
Cc: public-xmlsec@w3.org, public-webapps@w3.org, tlr@w3.org, kai.hendry@wacapps.net, paddy.byers@gmail.com
Message-ID: <BANLkTi=ztsU8cyC06JZY1t8dUYhKwBKSRQ@mail.gmail.com>

HI Fredrick, XML Sec WG,

On Tue, Jun 28, 2011 at 8:43 PM,  <Frederick.Hirsch@nokia.com> wrote:
> Marcos
>
> The XML Security WG discussed your proposed addition regarding certificate ordering at our teleconference today [1].
>
> The Working Group does not agree to change the core XML Signature specification as these would not be normative changes to that specification. The XML Signature specification focuses on the details of signing but  as a design choice does not detail generic PKI considerations (or details related to the various KeyInfo materials that have schema places in the specification) [2].
>

Understood.

> The sense of the Working Group is that a  profile of XML Signature, such as Widget SIgnature would be an appropriate place to note practices or restrictions important to that specification.
>

I will add this non-normative note to the Widget Signature specification.

> However, the XML Security WG does have a non-normative XML Signature Best Practices document [3] and could add material such as this to it, which would probably also make sense. Would you be able to craft language for a best practice (the document uses a format of expressing the issue, a short statement of the practice and then details).
>

I'd be happy to proposed some text. I'll just send you whatever ends
up in the Widget Sig specification.

Additionally, it is great that the XML Security Working Group has
created a best practices document. I would encourage the Working Group
to link to the best practices from the Introduction of the
specification or as a non-normative reference. Or add it under the
Editors as a link in the header of the document, so it can be quickly
and easily found.

Again, I speak from having dealt with numerous (~7) companies trying
to implement XML Dig Sig 1.1 + the Widgets Signature spec. There is *a
lot* of confusion about this stuff out there and a lot of frustration
because its super hard to find any useful guidance or information
easily.

I urge the working group, please: this is a pretty good technology and
it's not that hard to use once you understand what is going on. The
more guidance this working group can provide, the better. I'll do my
bit on the Widget Dig Sig side, but you guys also have a
responsibility to make XML Dig Sigs a pleasant experience to use (from
a specification, implementation, and author perspective). At least
linking to the best practices guide from the spec is a step in the
right direction, even if you don't include a non-normative note about
it.

Kind regards,
Marcos
-- 
Marcos Caceres
http://datadriven.com.au

Received on Tuesday, 28 June 2011 22:17:28 UTC