- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Mon, 31 Jul 2000 14:13:05 -0700
- To: Thomas Maslen <maslen@dstc.edu.au>
- Cc: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
At 18:20 7/31/2000 +1000, Thomas Maslen wrote: >One last vestige (I think) of the no-longer-optional CanonicalizationMethod >that I didn't notice last time around... in the editors' copy at > > http://www.w3.org/Signature/Drafts/WD-xmldsig-core-latest/ > >section "3.2.2 Signature Validation", item 3 says "(optionally canonicalized)". >Should it be just "(canonicalized)" now? Noted and fixed! >Also, step 1 of section 3.2.1 is exactly the same as step 1 of section 3.2.2. >I understand why it's in 3.2.2, and I'm willing to believe that it may also >be necessary in 3.2.1 to stave off some attack, but it looks for all the world >like a cut-and-paste error -- perhaps it needs some text in parentheses that >boils down to "yes, we really do mean this, and here's why"? (And, if this is >necessary, should it be hoisted above "For each Reference in SignedInfo:" ?). That's been mentioned before and I your recommendation is a good one: Canonicalize the SignedInfo element based on the CanonicalizationMethod in SignedInfo (so as to ensure the application Sees What is Signed, which is the canonical form). _________________________________________________________ Joseph Reagle Jr. W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/People/Reagle/
Received on Monday, 31 July 2000 14:12:46 UTC