Comments on best practices revision

Some comments on this revision from April 14th, 2008:

http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/

In section 2.1, I think there are a few cleanups needed, as well as
motivation for a change to the Signature spec.

There's a statement about RetrievalMethod in which it's suggested that a use
case for it is to avoid duplicate KeyInfo structures in a document with >1
signature, but then a follow on statement that "the implementation may
choose to allow only very constrained RetrievalMethods - e.g. those that do
not have any transforms, and only one level of indirection using a local
URI."

This is contradictory because the existing schema is limiting and does not
allow for RetrievalMethod to point to a certificate without in fact using a
Transform to get inside the referenced KeyInfo element. This is because only
KeyInfo carries an XML ID.

Secondly, the following paragraph implies that using X509Certificate in
KeyInfo implies PKIX processing of the certificate. There is no such
requirement in the spec. It merely identifies a certificate. What the
relying party does with it is not dictated by the spec. (As an aside, it's
also referencing an old PKIX RFC, I think.)

-- Scott

Received on Tuesday, 26 August 2008 14:41:37 UTC