- From: <tgindin@us.ibm.com>
- Date: Mon, 5 Jun 2000 20:32:58 -0400
- To: "Barb Fox" <bfox@Exchange.Microsoft.com>
- cc: "Joseph M. Reagle Jr." <reagle@w3.org>, w3c-ietf-xmldsig@w3.org
Does your last statement mean that you believe that a separate
standard should later be produced for non-digital electronic signatures of
XML documents, or that you believe that the existence of such signatures
should not be encouraged? If a separate standard is produced, it should
borrow a very large fraction of the syntax from this standard.
I would not object to wording like "no signature object is in
compliance with this version of the standard unless it contains a
SignatureValue which may be verified by purely cryptographic means", as
long as "this version" is present.
Tom Gindin
"Barb Fox" <bfox@Exchange.Microsoft.com> on 06/05/2000 08:13:29 PM
To: "Joseph M. Reagle Jr." <reagle@w3.org>
cc: Tom Gindin/Watson/IBM@IBMUS, <w3c-ietf-xmldsig@w3.org>
Subject: RE: Manually Signed Digest as an XML signature type
Joseph:
Your definition of KeyInfo is information related to the generation of the
signature.
Mine is that KeyInfo is information required by the verifier of a
signature. There are several forms, like KeyName, that illustrate that
it's not intended to be used in the generation of a signature.
Also, in your choice between:
"A. Non cryptographic electronic signatures should place their "validating"
information in SignatureProperties, or
B. Non cryptographic electronic signatures can not use XML Signature syntax
what-so-ever. (Specifying this would be difficult as we would then have to
enumerate all the algorithms that may be used, or all those that may not,
and it's difficult to enforce.)"
I believe we should clearly state that compliance with this standard
requires that a cryptographic signature MUST be generated (or verified.) If
the producer of a cryptographically signed XML document wishes to add an
electronic signature, it should be included as a SignatureProperty.
--Barb
Received on Monday, 5 June 2000 20:33:09 UTC