- From: TAMURA Kent <kent@trl.ibm.co.jp>
- Date: Fri, 29 Sep 2000 10:26:59 +0900
- To: w3c-ietf-xmldsig@w3.org
Members of my group read the latest Canonical XML [1] and the latest XML Signature [2]. The following are comments on [2] from members. [1] http://www.w3.org/TR/2000/WD-xml-c14n-20000907 [2] http://www.w3.org/TR/2000/WD-xmldsig-core-20000918/ 1.3 Versions, Namespaces and Identifiers XSLT is identified and defined by an external namespace http://www.w3.org/TR/1999/PR-xslt-19991008 should be: XSLT is identified and defined by an external URI(?) http://www.w3.org/TR/1999/REC-xslt-19991116 2.2 Extended Example (Object and SignatureProperty) o The first paragraph, the second sentence from the botom the SignatureProperty element. should be: the <code>SignatureProperty</code> element. 2.3 Extended Example (Object and Manifest) o The last example [m13] </Reference> [m14] </Object> should be: [m13] </Reference> [m14] </Manifest> [m15] </Object> 3.1 and 3.2 "The REQUIRED steps" is too strong expression. The order of these steps may be changed. For example, in 3.2.2, "1. Canonicalize..." and "2. Obtain..." are exchangeable. 3.2.1 Reference Validation Why do we have to canonicalize the SignedInfo before processing References? 4.3.3.1 The URI Attribute o the last paragraph S<code>ignatureProperties</code> shoud be: <code>SignatureProperties</code> 4.3.3.2 The Reference Processing Model o the first item in the first list after the second paragraph If the data object is a set of octets and ... should be: If the data object is an octet stream and ... o the first exapmle of URI examples URI="http://example.com/bar.xml" Identifies the octets that represent the (unparsed) external XML resource 'http://example.com/bar.xml'. The suffix of the URI is ".xml", but signature applications must not suppose the URI identifies an XML document and it need not see media type of this resource. So, it should be: Identifies the octets that represent the external resource 'http://example.com/bar.xml', that is probably XML document. o the third example, URI="" Add a note that comment nodes are omitted. It is difficult to understand whether comment nodes are ommited or not in each case.... o the fourth example, URI="#chapter1", the second sentence signature applications ... should be: Signature applications ... 4.4 The KeyInfo Element o the third paragraph ... by this specification; these can used ... should be: ... by this specification; these can be used ... 4.4.3 The RetrievalMethod Element o the second paragraph and Schema/DTD definition The second paragraph says "Type is an optional identifier", but the Schema/DTD declare the Type attribute is required. o DTD <!ATTLIST Type should be: <!ATTLIST RetrievalMethod 4.4.4 The X509Data Element The specification does not describe how to include certificate chain though certificate chain is used in the example. In the example, how does a signature application know which certificate has a key to verify the signature? -- TAMURA Kent @ Tokyo Research Laboratory, IBM
Received on Thursday, 28 September 2000 21:27:34 UTC