Re: CanonicalizationMethod from Thomas Maslen on 2000-07-31 (w3c-ietf-xmldsig@w3.org from July to September 2000)

From: Thomas Maslen <maslen@dstc.edu.au>
Date: Mon, 31 Jul 2000 18:20:46 +1000
To: "Joseph M. Reagle Jr." <reagle@w3.org>
Cc: w3c-ietf-xmldsig@w3.org
Message-Id: <200007310820.e6V8Kjs27430@piglet.dstc.edu.au>

One last vestige (I think) of the no-longer-optional CanonicalizationMethod 
that I didn't notice last time around...  in the editors' copy at

	http://www.w3.org/Signature/Drafts/WD-xmldsig-core-latest/

section "3.2.2 Signature Validation", item 3 says "(optionally canonicalized)".
Should it be just "(canonicalized)" now?

Also, step 1 of section 3.2.1 is exactly the same as step 1 of section 3.2.2.
I understand why it's in 3.2.2, and I'm willing to believe that it may also
be necessary in 3.2.1 to stave off some attack, but it looks for all the world 
like a cut-and-paste error -- perhaps it needs some text in parentheses that 
boils down to "yes, we really do mean this, and here's why"?  (And, if this is 
necessary, should it be hoisted above "For each Reference in SignedInfo:" ?).

Thomas Maslen
maslen@pobox.com

Received on Monday, 31 July 2000 04:21:10 UTC