RE: Section 6.1 from Barb Fox on 2000-06-13 (w3c-ietf-xmldsig@w3.org from April to June 2000)

From: Barb Fox <bfox@Exchange.Microsoft.com>
Date: Mon, 12 Jun 2000 20:21:57 -0700
To: <tgindin@us.ibm.com>
Cc: <w3c-ietf-xmldsig@w3.org>, <reagle@w3.org>
Message-ID: <96BABA22ECEAEA45B53D08D63E1B567826F179@DF-SPIKE.platinum.corp.microsoft.com>

Tom:

I object to this change. I don't think it clarifies anything because the
use of a cryptographic key is implied. Further, it leaps to the
conclusion that this working group wants to leave the door open to a
next version with non-cryptographic signatures. I don't see any
broad-based support for this, so let's just close this issue and get on
with interoperability testing.

If some future implementors of "electronic" signatures want to define a
new, non-cryptographic signature method, they can use the DSig syntax,
but they will need to define a new namespace.

--Barb


-----Original Message-----
From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com]
Sent: Monday, June 12, 2000 5:17 PM
To: Barb Fox
Cc: w3c-ietf-xmldsig@w3.org; reagle@w3.org
Subject: Re: Section 6.1


     To avoid foreclosing subsequent versions of the standard from
covering
general electronic signatures, I propose that the third sentence of
Barbara's text be changed to the following:  "However, the present
version
of this specification REQUIRES cryptographic SignatureMethods for
SignatureValue generation and verification, and these methods shall
require
at least one cryptographic key for verification."  The last clause rules
out pure digest algorithms, without which the requirement has little
effect.

          Tom Gindin


"Barb Fox" <bfox@Exchange.Microsoft.com> on 06/12/2000 04:37:36 PM

To:   w3c-ietf-xmldsig@w3.org
cc:   reagle@w3.org
Subject:  Section 6.1




To close on the issue of electronic signatures, I propose that the
following text be included as paragraph two in Section 6.1, Algorithm
Identifiers and Implementation Requirements:

"This specification defines a set of algorithms, their URIs, and
requirements
for implementation. In general, requirements apply to
implementations, not to signature use. However, this specification
REQUIRES cryptographic
SignatureMethods for SignatureValue generation and verification. Other
authenticators (electronic, biometric, etc.) may be included ONLY as a
supplement to the cryptographic signature via the SignatureProperty
element
type."

This should remove any ambiguity.

--Barb

Received on Monday, 12 June 2000 23:23:44 UTC