XML Security KeyInfoReference confusion

Scott

I'm looking at the text in XML Signature 1.1 related to RetrievalMethod and KeyInfoReference and see the following:

RetrievalMethod (4.5.3, http://www.w3.org/TR/2010/WD-xmldsig-core1-20100513/#sec-RetrievalMethod )

"Note that when referencing one of the defined KeyInfo types within the same document, or some remote documents, at least one Transform is required to turn an ID-based reference to a KeyInfo element into a child element located inside it. This is due to the lack of an XML ID attribute on the defined KeyInfo types. In such cases, use of KeyInfoReference is encouraged instead, see section 4.5.10."

This says that if I want to access an X509Data or X509Certificate by ID I can't do it because the schema for these did not include id attributes, so transforms are required to get to them from the KeyInfo element referenced by id.

KeyInfoReference (4.5.10, http://www.w3.org/TR/2010/WD-xmldsig-core1-20100513/#sec-KeyInfoReference)

"The result of dereferencing a KeyInfoReference must be a KeyInfo element, or an XML document with a KeyInfo element as the root."

How does KeyInfoReference help with the problem of getting directly to the X509Data element etc, it does nothing to get at the X509Data or X509Certificate, you still have to parse it.

 I'm trying to understand if the wording of the first note makes sense as use of KeyInfoReference does not seem to resolve the issue described there. Do we need to update that "In such cases" sentence?

regards, Frederick

Frederick Hirsch
Nokia

Received on Friday, 21 January 2011 22:29:44 UTC