- From: Sean Mullan <sean.mullan@oracle.com>
- Date: Mon, 15 Aug 2011 15:18:06 -0400
- To: frederick.hirsch@nokia.com
- CC: public-xmlsec@w3.org
Looks fine to me. --Sean On 8/15/11 2:08 PM, frederick.hirsch@nokia.com wrote: > Dear Sean Mullan , > > The XML Security Working Group has reviewed the comments you sent [1] on > the Last Call Working Draft [2] of the XML Signature Syntax and Processing > Version 1.1 published on 3 Mar 2011. Thank you for having taken the time to > review the document and to send us comments! > > The Working Group's response to your comment is included below. > > Please review it carefully and let us know by email at > public-xmlsec@w3.org if you agree with it or not before 22 August 2011. In > case of disagreement, you are requested to provide a specific solution for > or a path to a consensus with the Working Group. If such a consensus cannot > be achieved, you will be given the opportunity to raise a formal objection > which will then be reviewed by the Director during the transition of this > document to the next stage in the W3C Recommendation Track. > > Thanks, > > For the XML Security Working Group, > Thomas Roessler > W3C Staff Contact > > 1. http://www.w3.org/mid/4E0B7BF4.1080407@oracle.com > 2. http://www.w3.org/TR/2011/CR-xmldsig-core1-20110303/ > > > ===== > > Your comment on 4.5 The KeyInfo Element KeyInfo is an optional element > that...: >> Section 4.5, paragraph 2: >> >> "If KeyInfo is omitted, the recipient is expected to be able to >> identify the key >> based on application context. Multiple declarations within KeyInfo >> refer to the >> same key. While applications may define and use any mechanism they >> choose >> through inclusion of elements from a different namespace, compliant >> versions >> must implement KeyValue (section 4.5.2 The KeyValue Element) and should >> >> implement RetrievalMethod (section 4.5.3 The RetrievalMethod >> Element)." >> >> These requirements seem like they should be revisited, especially since >> a later >> section says to avoid RetrievalMethod because of potential security >> concerns >> (see Note in section 4.5.10). Also, does this imply that all KeyValues >> must be >> supported? I would think it should only be supported if there is a >> required >> signature algorithm for the corresponding key type. Had there ever been >> any >> discussion about updating the list of required KeyInfo types? >> >> Thanks, >> Sean > > > Working Group Resolution (LC-2502): > 1. Added text to 1st paragraph on KeyInfo section to state the following: > > [[ > Details of the structure and usage of element children of KeyInfo other > than simple types described in this specification are out of scope. For > example, the definition of PKI certificate contents, certificate ordering, > certificate revocation and CRL management are out of scope. > ]] > > http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.html#sec-KeyInfo > > Added this text to both XML Signature 1.1 and XML Signature 2.0 > > 2. Added the following note to the section on RetrievalMethod in 1.1 > before the schema definition (4.5.3): > > [[ > Note: The KeyInfoReference element is preferred over use of > RetrievalMethod as it avoids use of Transform child elements that introduce > security risk and implementation challenges > ]] > > http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.html#sec-RetrievalMethod > > This and the earlier change to make KeyInfoReference a SHOULD instead of > RetrievalMethod (made to both 1.1 and 2.0) should complete the changes to > address LC-2506 > > [[ > While applications may define and use any mechanism they choose through > inclusion of elements from a different namespace, compliant versions must > implement KeyValue (section 4.5.2 The KeyValue Element) and should > implement KeyInfoReference (section 4.5.10 The KeyInfoReference Element). > KeyInfoReference is preferred over use of RetrievalMethod as it avoids use > of Transform child elements that introduce security risk and implementation > challenges. Support for other children of KeyInfo is optional. > ]] > > http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.html#sec-KeyInfo > > > > ---- > >
Received on Monday, 15 August 2011 19:19:03 UTC