- From: Marcos Caceres <marcosscaceres@gmail.com>
- Date: Tue, 28 Jun 2011 23:16:38 +0100
- To: Frederick.Hirsch@nokia.com
- Cc: public-xmlsec@w3.org, public-webapps@w3.org, tlr@w3.org, kai.hendry@wacapps.net, paddy.byers@gmail.com
HI Fredrick, XML Sec WG, On Tue, Jun 28, 2011 at 8:43 PM, <Frederick.Hirsch@nokia.com> wrote: > Marcos > > The XML Security WG discussed your proposed addition regarding certificate ordering at our teleconference today [1]. > > The Working Group does not agree to change the core XML Signature specification as these would not be normative changes to that specification. The XML Signature specification focuses on the details of signing but as a design choice does not detail generic PKI considerations (or details related to the various KeyInfo materials that have schema places in the specification) [2]. > Understood. > The sense of the Working Group is that a profile of XML Signature, such as Widget SIgnature would be an appropriate place to note practices or restrictions important to that specification. > I will add this non-normative note to the Widget Signature specification. > However, the XML Security WG does have a non-normative XML Signature Best Practices document [3] and could add material such as this to it, which would probably also make sense. Would you be able to craft language for a best practice (the document uses a format of expressing the issue, a short statement of the practice and then details). > I'd be happy to proposed some text. I'll just send you whatever ends up in the Widget Sig specification. Additionally, it is great that the XML Security Working Group has created a best practices document. I would encourage the Working Group to link to the best practices from the Introduction of the specification or as a non-normative reference. Or add it under the Editors as a link in the header of the document, so it can be quickly and easily found. Again, I speak from having dealt with numerous (~7) companies trying to implement XML Dig Sig 1.1 + the Widgets Signature spec. There is *a lot* of confusion about this stuff out there and a lot of frustration because its super hard to find any useful guidance or information easily. I urge the working group, please: this is a pretty good technology and it's not that hard to use once you understand what is going on. The more guidance this working group can provide, the better. I'll do my bit on the Widget Dig Sig side, but you guys also have a responsibility to make XML Dig Sigs a pleasant experience to use (from a specification, implementation, and author perspective). At least linking to the best practices guide from the spec is a step in the right direction, even if you don't include a non-normative note about it. Kind regards, Marcos -- Marcos Caceres http://datadriven.com.au
Received on Tuesday, 28 June 2011 22:17:26 UTC