- From: <tgindin@us.ibm.com>
- Date: Tue, 13 Jun 2000 12:12:07 -0400
- To: "Barb Fox" <bfox@Exchange.Microsoft.com>
- cc: w3c-ietf-xmldsig@w3.org, reagle@w3.org
The two changes have distinct purposes. First, and less
controversially, the wording you suggested does NOT clearly rule out pure
digest algorithms as cryptographic signatures. I was trying to close a
hole in the wording. Second, my wording leaves open the question of
whether a subsequent version will or will not support manually verifiable
signatures, rather than leaping to a conclusion on the subject. It does
imply that such signatures will be considered for inclusion in a subsequent
version, but it does not guarantee that they will be included. I realize
that you are opposed to their inclusion in a subsequent version, and that
you are not alone in this view.
The wording of this clause will not delay interoperability testing,
one way or the other. I am no more holding up the group than you are.
Tom Gindin
"Barb Fox" <bfox@Exchange.Microsoft.com> on 06/12/2000 11:21:57 PM
To: Tom Gindin/Watson/IBM@IBMUS
cc: <w3c-ietf-xmldsig@w3.org>, <reagle@w3.org>
Subject: RE: Section 6.1
Tom:
I object to this change. I don't think it clarifies anything because the
use of a cryptographic key is implied. Further, it leaps to the conclusion
that this working group wants to leave the door open to a next version with
non-cryptographic signatures. I don't see any broad-based support for this,
so let's just close this issue and get on with interoperability testing.
If some future implementors of "electronic" signatures want to define a
new, non-cryptographic signature method, they can use the DSig syntax, but
they will need to define a new namespace.
--Barb
-----Original Message-----
From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com]
Sent: Monday, June 12, 2000 5:17 PM
To: Barb Fox
Cc: w3c-ietf-xmldsig@w3.org; reagle@w3.org
Subject: Re: Section 6.1
To avoid foreclosing subsequent versions of the standard from covering
general electronic signatures, I propose that the third sentence of
Barbara's text be changed to the following: "However, the present version
of this specification REQUIRES cryptographic SignatureMethods for
SignatureValue generation and verification, and these methods shall require
at least one cryptographic key for verification." The last clause rules
out pure digest algorithms, without which the requirement has little
effect.
Tom Gindin
"Barb Fox" <bfox@Exchange.Microsoft.com> on 06/12/2000 04:37:36 PM
To: w3c-ietf-xmldsig@w3.org
cc: reagle@w3.org
Subject: Section 6.1
To close on the issue of electronic signatures, I propose that the
following text be included as paragraph two in Section 6.1, Algorithm
Identifiers and Implementation Requirements:
"This specification defines a set of algorithms, their URIs, and
requirements
for implementation. In general, requirements apply to
implementations, not to signature use. However, this specification
REQUIRES cryptographic
SignatureMethods for SignatureValue generation and verification. Other
authenticators (electronic, biometric, etc.) may be included ONLY as a
supplement to the cryptographic signature via the SignatureProperty
element
type."
This should remove any ambiguity.
--Barb
Received on Tuesday, 13 June 2000 12:12:49 UTC