- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Thu, 27 Jul 2000 18:52:37 -0400
- To: "Gregor Karlinger" <gregor.karlinger@iaik.at>
- Cc: "Gregor Karlinger" <gregor.karlinger@iaik.at>, "XML" <w3c-ietf-xmldsig@w3.org>
At 09:44 7/27/2000 +0200, Gregor Karlinger wrote: >Correctly, it should look like: > > (<Reference (URI=)? > > (Transforms)? > (DigestMethod) > (DigestValue) > </Reference>)+ ahh... I call those parentheses (wasn't sure if bracket meant [ ;)!) >> > [GK9]Only correct for values created with methods >> >specified by XML-Signature standard ... >I am OK with the current datatype definition, but currently it is >contradicting >with the explanation of section 4.2: > ... >I suggest to tweak the text as follows: > > While we specify a mandatory and optional to implement SignatureMethod >algorithms, > user specified algorithms are permitted. Both algorithms specified by this > specification and user specified ones MUST use Base64 [MIME] as their >encoding > method. Changed. >> > [GK11]Why is it always base64 encoded? I suggest the >> >same mechanism as with SignatureValue, i. e. the encoding (if any) is >> determined by the DigestMethod. >> >> Do you mean there is an attribute in DigestMethod, or that it is >> an implicit >> parameter? (Please include complete proposal.) > >Now, with my suggested new text for [GK10], my remark [GK11] gets obsolete. >Both SignatureValues and DigestValues shall be Base64 encoded in any case. Ok. >> > [GK20]Only a single certificate possible here? >> >> ? > >The first sentence in section 4.4.4. reads: > > An X509Data element within KeyInfo contains one or more identifiers > of keys/X509 certificates that may be useful for validation. > >It says "one or more X509 certificates" in a X509Data element, which >seems reasonable, since I can include a whole certificate chain and >not only one EE certificate. But the grammar (now, in your latest >editorial copy both Schema and DTD) only allow for a single certificate. Addressed in other email, Barb said limited to 1. >> > [GK22]Content Model is different from that in the >> >Schema Definition >> >> Based on previous comment Editors' copy reads: >> >> <!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName)+ | >> X509Certificate | X509CRL)> > >See also my comment on [GK20] above. Given you only have one cert, I think this is ok, right? >> > [GK26]Why is there still this superfluous >http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000AprJun/0188.html > >If we make this restriction (I do not see an argument against it), I > >to reject the SignatureProperties element at all, since it only works as > >an additional "container" level between Object and SignatureProperty, > >nothing else. Right, I agreed it is superflous and wanted to see if anyone else opposed it's removal. I will confirm next week at the FTF. _________________________________________________________ Joseph Reagle Jr. W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/People/Reagle/
Received on Thursday, 27 July 2000 18:53:29 UTC