- From: Sean Mullan <Sean.Mullan@Sun.COM>
- Date: Fri, 30 May 2008 16:21:05 -0400
- To: Pratik Datta <pratik.datta@oracle.com>
- Cc: XMLSec <public-xmlsec-maintwg@w3.org>
Pratik Datta wrote: > How about organizing the document like this ? > > 1. Advice to verifiers > This is all of section 2.1.1 which basically says if there are > complicated transforms, you don't know what is being signed. > > 2. Advice to signers > This is section 2.1.2 and section 2.4 which says not to sign a very > small part of the document, but to include user name, action, > timestamps, nonces etc into signature so that the signature can't be > replayed with some changes. > > 3. Advice to implementors > This is section 2.2 and 2.3 which talks of order of operations, and > preventing denial of service attacks. This looks better to me. I think I would like to see the Advice to implementors section come first, if only because it contains some of the most important best practices such as the order of operations and validating/trusting the key, both of which may also help reduce the risk associated with malicious transforms. I haven't reviewed your detailed comments on my comments, but I will do that and respond later. --Sean
Received on Friday, 30 May 2008 20:21:55 UTC