- From: Scott Cantor <cantor.2@osu.edu>
- Date: Tue, 26 Aug 2008 10:40:57 -0400
- To: <public-xmlsec@w3.org>
Some comments on this revision from April 14th, 2008: http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/ In section 2.1, I think there are a few cleanups needed, as well as motivation for a change to the Signature spec. There's a statement about RetrievalMethod in which it's suggested that a use case for it is to avoid duplicate KeyInfo structures in a document with >1 signature, but then a follow on statement that "the implementation may choose to allow only very constrained RetrievalMethods - e.g. those that do not have any transforms, and only one level of indirection using a local URI." This is contradictory because the existing schema is limiting and does not allow for RetrievalMethod to point to a certificate without in fact using a Transform to get inside the referenced KeyInfo element. This is because only KeyInfo carries an XML ID. Secondly, the following paragraph implies that using X509Certificate in KeyInfo implies PKIX processing of the certificate. There is no such requirement in the spec. It merely identifies a certificate. What the relying party does with it is not dictated by the spec. (As an aside, it's also referencing an old PKIX RFC, I think.) -- Scott
Received on Tuesday, 26 August 2008 14:41:37 UTC