Re: AW: Errors and Questions

At 09:44 7/27/2000 +0200, Gregor Karlinger wrote:
 >Correctly, it should look like:
 >  (<Reference (URI=)? >
 >    (Transforms)?
 >    (DigestMethod)
 >    (DigestValue)
 >  </Reference>)+

ahh... I call those parentheses (wasn't sure if bracket meant [ ;)!)

 >>  > [GK9]Only correct for values created with methods
 >>  >specified by XML-Signature standard
 >I am OK with the current datatype definition, but currently it is
 >with the explanation of section 4.2:
 >I suggest to tweak the text as follows:
 >  While we specify a mandatory and optional to implement SignatureMethod
 >  user specified algorithms are permitted. Both algorithms specified by
 >  specification and user specified ones MUST use Base64 [MIME] as their
 >  method.


 >>  > [GK11]Why is it always base64 encoded? I suggest the
 >>  >same mechanism as with SignatureValue, i. e. the encoding (if any) is
 >> determined by the DigestMethod.
 >> Do you mean there is an attribute in DigestMethod, or that it is
 >> an implicit
 >> parameter? (Please include complete proposal.)
 >Now, with my suggested new text for [GK10], my remark [GK11] gets obsolete.
 >Both SignatureValues and DigestValues shall be Base64 encoded in any case.


 >>  > [GK20]Only a single certificate possible here?
 >> ?
 >The first sentence in section 4.4.4. reads:
 >  An X509Data element within KeyInfo contains one or more identifiers
 >  of keys/X509 certificates that may be useful for validation.
 >It says "one or more X509 certificates" in a X509Data element, which
 >seems reasonable, since I can include a whole certificate chain and
 >not only one EE certificate. But the grammar (now, in your latest
 >editorial copy both Schema and DTD) only allow for a single certificate.

Addressed in other email, Barb said limited to 1.

 >>  > [GK22]Content Model is different from that in the
 >>  >Schema Definition
 >> Based on previous comment Editors' copy reads:
 >>    <!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName)+ |
 >>                       X509Certificate | X509CRL)>
 >See also my comment on [GK20] above.

Given you only have one cert, I think this is ok, right?

 >>  > [GK26]Why is there still this superfluous
 >   >If we make this restriction (I do not see an argument against it), I
 >   >to reject the SignatureProperties element at all, since it only works
 >   >an additional "container" level between Object and SignatureProperty,
 >   >nothing else.
Right, I agreed it is superflous and wanted to see if anyone else opposed
it's removal. I will confirm next week at the FTF.

Joseph Reagle Jr.   
W3C Policy Analyst      
IETF/W3C XML-Signature Co-Chair

Received on Thursday, 27 July 2000 18:53:29 UTC