- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Tue, 7 Oct 2008 14:41:44 -0400
- To: ext Juan Carlos Cruellas <cruellas@ac.upc.edu>
- Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, public-xmlsec@w3.org
Juan Carlos Thanks for reviewing the best practices document I believe your comment is in the following document you uploaded: http://www.w3.org/2008/xmlsec/Drafts/best-practices/comments-bhill-jcc.html The comment is in section 2.1 before the first best practice and is: "[jcc: I think that best practices 1 and 3 overlap somehow, as they seem to mix two concepts: "authentication" of the signer, and trust in that signer. I would also say that the header of best practice 1 is a does not completely match the content, as its content actually speaks of trust not of authentication. My proposal would be to change the header of best practice 1 to: "Mitigate denial of service attacks by executing potentially dangerous operations only after establishing trust in the signer key". After that I would suppress best practice 3. ]" Thus in the latest editors draft http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/ I believe your proposal is: 1. change the title of best practice 1 to: "Mitigate denial of service attacks by executing potentially dangerous operations only after establishing trust in the signer key" 2. remove best practice 2: Best Practice 2: Establish trust in the verification/validation key. However I think the intent of best practice 1 was to indicate verification of the signature on SignedInfo before validating references and #2 was to also remind to verify keys, thus I suggest we do not make the change you suggest, since #1 did include signature verification and #2 is important to call out the importance of key verification. regards, Frederick Frederick Hirsch Nokia On Oct 7, 2008, at 11:16 AM, ext Juan Carlos Cruellas wrote: > > Dear all, > > I have posted a reviewed version of the best practices documents with > one comment as reported in the message below: > > http://lists.w3.org/Archives/Member/member-xmlsec-commits/2008Oct/0004.html > > This should be close action 58 on myself. > > Regards > > Juan Carlos. > > > >
Received on Tuesday, 7 October 2008 18:42:27 UTC