- From: Richard D. Brown <rdbrown@Globeset.com>
- Date: Thu, 8 Jul 1999 09:59:48 -0500
- To: "'Yoshiaki KAWATSURA'" <kawatura@bisd.hitachi.co.jp>
- Cc: <w3c-ietf-xmldsig@w3.org>
Yoshiaki, Thanks for your comments. I have a few comments on my own WRT your proposals: (1) I tend to agree that we should propose a series of elements to qualify Recipient and Originator. For now, I have proposed the IssuerAndSerialNumber and the Identifier elements. This pair appeared to be the minimum to enable support for X509 certificate-based and account-based identification. However, I disagree with the statement "XML Signature Module does not depend on any specific application." In fact, the current trend is to move signature verification and user authorization closer to the application layer. Though verification of the signature value is very mechanical, identification of the signer and retrieval of the signer's public-key can be very application-specific. (2) I think that your proposal is too restrictive and potentially increases the risk of "ID Conflict" when manipulating composite documents. Identifying the signer's certificate by means of an IDREF in the OriginatorInfo implies that the document always embeds a Certificate element that indicates the location or the value of the certificate. But there are circumstances when the relying party is already provided with a copy of the certificates that it trusts (i.e. account-based operation using certificates) or has its own trusted way to retrieve certificates (delegation to a trusted third-party). In such circumstances, the relying party only expects a unique and unambiguous reference to the signer's certificate (i.e. IssuerAndSerialNumber for X509 certificates). Sincerely, Richard D. Brown Software Architect - R&D Globeset, Inc. Austin, TX - U.S. > -----Original Message----- > From: Yoshiaki KAWATSURA [mailto:kawatura@ecd.bisd.hitachi.co.jp]On > Behalf Of Yoshiaki KAWATSURA > Sent: Thursday, July 08, 1999 3:32 AM > To: rdbrown@Globeset.com > Cc: kawatura@bisd.hitachi.co.jp > Subject: I have a couple of comments for your draft. > > > Hello, Richard, > I have a couple of comments for your draft. > > (1): > I think the XML Signature Module does not depend on the any specific > application (such as IOTP) because XML Signature is one of the common > XML frameworks(infrastructures). On the above assumption, I am > concerned that some XML Signature Modules may do different behaviors > if we do not clearly specify the elements in the OriginatorInfo and > ReceipientInfo component. I am fine with ANY basically but we should > describe the what we can define in these components. What do you > think about this? > > (2): > About #98121501 in the XMLDSIG > I also think that IssuerAndSerialNumber is too restrictive so > I suggest that > Old: > <!ELEMENT dsig:Certificate ( > dsig:IssuerAndSerialNumber, > ( dsig:Value | dsig:Locator ) > )> > > <!ATTLIST dsig:Certificate > xmlns:dsig CDATA #FIXED %xmldsig.dtd; > type NMTOKEN #REQUIRED > > > New: > <!ELEMENT dsig:Certificate ( > ( dsig:Value | dsig:Locator ) > )> > > <!ATTLIST dsig:Certificate > xmlns:dsig CDATA #FIXED %xmldsig.dtd; > id ID #REQUIRED > type NMTOKEN #REQUIRED > > > > And, > > Old: > <dsig:OriginatorInfo> > <dsig:IssuerAndSerialNumber > issuer='o=GlobeSet Inc., c=US' > number='123456789102356'/> > </dsig:OriginatorInfo> > > New: > <dsig:OriginatorInfo> > <dsig:Attribute > type='urn:xml-dsig-ietf-org:certificate-ref'> > <dsig:Identifier value='value of id element in > Cerfiticate Component'\> > </dsig:OriginatorInfo> > > > > > P.S. I will attend to the XMLDSIG WG in the IETF Oslo meeting. I am > looking forward to see you if you have a plan to go to Oslo. > > -- > Yoshiaki Kawatsura Hitachi, Ltd. >
Received on Thursday, 8 July 1999 11:00:06 UTC