Re: Indicating certificate order in XML Dig Sig


I have added a comment in our tracker tool regarding addition of an informative reference and link to XML Signature Best Practices to Introduction/References of XML Signature 1.1 (and implicitly XML Signature 2.0 as well).

See LC-2504 :

I've also recorded and marked as resolved the issue related to certificate order, LC-2503,

regards, Frederick

Frederick Hirsch, Nokia
Chair XML Security WG

On Jun 28, 2011, at 6:16 PM, ext Marcos Caceres wrote:

> HI Fredrick, XML Sec WG,
> On Tue, Jun 28, 2011 at 8:43 PM,  <> wrote:
>> Marcos
>> The XML Security WG discussed your proposed addition regarding certificate ordering at our teleconference today [1].
>> The Working Group does not agree to change the core XML Signature specification as these would not be normative changes to that specification. The XML Signature specification focuses on the details of signing but  as a design choice does not detail generic PKI considerations (or details related to the various KeyInfo materials that have schema places in the specification) [2].
> Understood.
>> The sense of the Working Group is that a  profile of XML Signature, such as Widget SIgnature would be an appropriate place to note practices or restrictions important to that specification.
> I will add this non-normative note to the Widget Signature specification.
>> However, the XML Security WG does have a non-normative XML Signature Best Practices document [3] and could add material such as this to it, which would probably also make sense. Would you be able to craft language for a best practice (the document uses a format of expressing the issue, a short statement of the practice and then details).
> I'd be happy to proposed some text. I'll just send you whatever ends
> up in the Widget Sig specification.
> Additionally, it is great that the XML Security Working Group has
> created a best practices document. I would encourage the Working Group
> to link to the best practices from the Introduction of the
> specification or as a non-normative reference. Or add it under the
> Editors as a link in the header of the document, so it can be quickly
> and easily found.
> Again, I speak from having dealt with numerous (~7) companies trying
> to implement XML Dig Sig 1.1 + the Widgets Signature spec. There is *a
> lot* of confusion about this stuff out there and a lot of frustration
> because its super hard to find any useful guidance or information
> easily.
> I urge the working group, please: this is a pretty good technology and
> it's not that hard to use once you understand what is going on. The
> more guidance this working group can provide, the better. I'll do my
> bit on the Widget Dig Sig side, but you guys also have a
> responsibility to make XML Dig Sigs a pleasant experience to use (from
> a specification, implementation, and author perspective). At least
> linking to the best practices guide from the spec is a step in the
> right direction, even if you don't include a non-normative note about
> it.
> Kind regards,
> Marcos
> -- 
> Marcos Caceres

Received on Friday, 1 July 2011 14:47:12 UTC