- From: Cantor, Scott <cantor.2@osu.edu>
- Date: Fri, 12 Jul 2013 14:08:28 +0000
- To: "Manger, James H" <James.H.Manger@team.telstra.com>, Magnus Nystrom <mnystrom@microsoft.com>, "Frederick.Hirsch@nokia.com" <Frederick.Hirsch@nokia.com>
- CC: "public-xmlsec@w3.org" <public-xmlsec@w3.org>, "Mark.Priestley@vodafone.com" <Mark.Priestley@vodafone.com>
> Hence, theoretically the spec is ok. In practice, this “MUST” will invariably be > ignored. Firstly because you can still interop while ignoring the “MUST”: you > will not get the security ConcatKDF is supposed to deliver, but you still > interoperate (sigh). An XML library can hardly implement “an application- > specific way not defined in this document”. Sure it can, it just has to provide parameters the application supplies to control the behavior, which I guess in this case involves lengths? > There isn’t even a way to identify > which “application-specific way” is used. Magnus’s comment (“we could > claim … we used an expected fixed-length”) implies Microsoft didn’t > implement this “MUST”, which is unsurprising as I doubt any library will. If I had a way to do so (OpenSSL doesn’t implement Concat at all), I definitely would if the issue was identified in the spec or a guidelines doc. -- Scott
Received on Friday, 12 July 2013 14:09:29 UTC