proposal - retain OCSPResponse element in XML Signature 1.1 without specific interop

We have suggested that the OCSPResponse element we added to the KeyInfo/X509Data in XML Signature 1.1 is at risk due to lack of  interop testing.

I think we should clarify whether interop testing is required, given that this is a generic container for material that is out of the scope of XML Signature 1.1 definition. In other words, do we need to test the addition of an optional schema element used to contain and convey information whose format and processing is defined elsewhere?

The following is stated in section 4.5.4 of XML Signature 1.1 [1] and that is pretty much the extent of it apart from a comment added to the schema snippet in the draft:

  *   The dsig11:OCSPResponse element contains a base64-encoded OCSP response in DER encoding. [OCSP<http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.src.html#bib-OCSP>].

A similar case is the X509SKI element also noted in the X509Data list in XML Signature 1.0 [2]. I do not believe there was any interop test of this element for bringing the earlier XML Signature to recommendation [2].

Thus I'd argue we do not need to remove the OCSPResponse element from the specification to progress, nor do we need an interop test as it is an extension point with a clearly defined XML Element name and namespace. In fact, as we've noted on the teleconferences, the work of building a test framework would far exceed the value of testing the existence of an optional XML element.

Thomas, can you please check if this argument holds with the Team? If so we should document this and retain the OCSPResponse element as we progress.

Please send any comment to the public list.

Thanks

regards, Frederick

Frederick Hirsch
Nokia


[1] http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.src.html#sec-X509Data

[2] http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-X509Data

[3] http://www.w3.org/Signature/2001/04/05-xmldsig-interop.html