XML Signature 1.1 KeyInfo requirements

Section 4.5, paragraph 2:

"If KeyInfo is omitted, the recipient is expected to be able to identify the key 
based on application context. Multiple declarations within KeyInfo refer to the 
same key. While applications may define and use any mechanism they choose 
through inclusion of elements from a different namespace, compliant versions 
must implement KeyValue (section 4.5.2 The KeyValue Element) and should 
implement RetrievalMethod (section 4.5.3 The RetrievalMethod Element)."

These requirements seem like they should be revisited, especially since a later 
section says to avoid RetrievalMethod because of potential security concerns 
(see Note in section 4.5.10). Also, does this imply that all KeyValues must be 
supported? I would think it should only be supported if there is a required 
signature algorithm for the corresponding key type. Had there ever been any 
discussion about updating the list of required KeyInfo types?

Thanks,
Sean

Received on Wednesday, 29 June 2011 19:25:14 UTC