- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Tue, 20 Jun 2000 15:23:22 -0400
- To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
After further conversation regarding section 6.1, I think the following is the best representation of the WG intent (basically, the document is unchanged): 1. The document will continue to state, "This specification defines a set of algorithms, their URIs, and requirements for implementation. Requirements are specified over implementation, not over requirements for signature use." We'll continue to rely upon the text in 8.4 [1] to warn Signature users of the potential hazards of other algorithms, "Even more care may be warranted with application defined algorithms." 2. There's no proposal nor agreement to change the definitions or dataytpes of SignatureValue, SignatureProperty, or KeyInfo. 3. To answer the thread on hash algorithms as signature algorithms, the natural language definition of Signature requires a key to be associated with the content, consequently a simple hash SignatureMethod is an incorrect reading of the specification. Enforcement of this requirement falls to the users of the Signature applications (like all the issues in section 8 [2]). [1] http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000AprJun/0268.html [2] http://www.w3.org/TR/2000/WD-xmldsig-core-20000601/#sec-Security _________________________________________________________ Joseph Reagle Jr. W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/People/Reagle/
Received on Tuesday, 20 June 2000 15:23:56 UTC