RE: KeyInfo questions/comments from Matthew Appler on 2000-03-14 (w3c-ietf-xmldsig@w3.org from January to March 2000)

From: Matthew Appler <mappler@corsec.com>
Date: Tue, 14 Mar 2000 09:38:41 -0500
To: "Carl Wallace" <cwallace@erols.com>, "Barb Fox" <bfox@EXCHANGE.MICROSOFT.com>, "dsig" <w3c-ietf-xmldsig@w3.org>
Cc: <pmhesse@cygnacom.com>
Message-ID: <LKEJLIIDMDLAOEDHKGHPKEANCEAA.mappler@corsec.com>

It seems to me that the issue here is not so much a burden on developers,
but rather a question of NEED vs. WANT.  From the xmldsig-requirements
document section 2.5:

"The specification must only require the provision of key information
essential to checking the validity of the cryptographic signature. For
instance, identity and key recovery information might be of interest to
particular applications, but they are not within the class of required
information defined in this specification. [List(Reagle)] "

This information is not "essential".  It may be nice to have during path
development, but you can perform path development without this information
as well..  The issue to me is not that the standard provides a mechanism to
encode key information in this field, but that it REQUIRES it.  DSA key and
parameter information is not required to perform path development, it only
assists in path development.

 -Matthew Appler
  -----Original Message-----
  From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of Carl Wallace
  Sent: Monday, March 13, 2000 7:32 PM
  To: Barb Fox; dsig
  Cc: pmhesse@cygnacom.com
  Subject: Re: KeyInfo questions/comments


  Barb,

  Thanks to Brian's comments I understand now the idea is for KeyInfo to
serve as a "hint" and little/nothing more.  However, I still fail to see
where KeyValue provides anything in the way of "base interoperability" where
a PKI application receives a key via KeyValue from a non-PKI application and
thus fail to see why KeyValue is required.  It seems only to provide enough
interoperability for a non-PKI application to deliver a key that cannot be
validated to a PKI application.

  Without clarification in the text as to the intent, I believe the
structures provide too much of an invitation to be used in a manner not
consistent with the intent.  As for the DSA parameters, since using them
directly from a KeyValue is not the idea, why mandate their inclusion?
Certainly there would be no harm in relaxing the requirement that every
KeyValue include them; a simple minOccurs=0 seems appropriate.  It would
definitely save many bits spent on information that's really more nice to
have than necessary for many/most implementations.

  -Carl

Received on Tuesday, 14 March 2000 09:38:33 UTC