Re: XML Signature 1.1 KeyInfo requirements

On 6/29/11 3:24 PM, "Sean Mullan" <sean.mullan@oracle.com> wrote:
>
>These requirements seem like they should be revisited, especially since a
>later 
>section says to avoid RetrievalMethod because of potential security
>concerns 
>(see Note in section 4.5.10).

I think we missed that text making it a SHOULD, actually.

> Also, does this imply that all KeyValues must be
>supported?

Strictly speaking all it says is KeyValue itself, not any particular child
elements. Could be clearer.

> I would think it should only be supported if there is a required
>signature algorithm for the corresponding key type. Had there ever been
>any 
>discussion about updating the list of required KeyInfo types?

I think the most that would happen is clarifying your point about
KeyValue, and *maybe* making KeyInfoReference a should. All the other new
stuff was explicitly insisted on as optional as a condition of adding them.

-- Scott

Received on Wednesday, 29 June 2011 19:33:00 UTC