- From: TAMURA Kent <kent@trl.ibm.co.jp>
- Date: Tue, 3 Oct 2000 14:37:05 +0900
- To: w3c-ietf-xmldsig@w3.org
In message "Re: Comments on XML-Signature S&P draft"
on 00/10/02, "Joseph M. Reagle Jr." <reagle@w3.org> writes:
> >3.1 and 3.2
> > "The REQUIRED steps" is too strong expression. The order of
> >these steps may be changed. For example, in 3.2.2,
> >"1. Canonicalize..." and "2. Obtain..." are exchangeable.
> >3.2.1 Reference Validation
> > Why do we have to canonicalize the SignedInfo before
> >processing References?
>
> Both of these are the same issue. As we recommend you see what you sign, and
> the CanonicalizationMethod might tweak the content of SignedInfo, it should
> be processed and then processed. For instance, say at some point the issue
> of releative URIs results in a CanonicalizationMethod that rewrites URIs in
> a novel way, you should apply CanonicalizationMethod first before processing
> them. This text is there to ensure security, though I expect if understood
> by implementors it won't result in a big deal. If they know they only
> support one CanonicalizationMethod, and that Method is safe then they might
> choose not to do this so as to optimize, but that's their choice and the
> spec needs to be clear. There's a parenthetical comment in the latest draft,
> do we need more motivating text?
Ok, I have understood the order of c14n and Reference
processing. But how about the order of c14n and obtaning a key
(1 and 2 in 3.2.2)? The SignedInfo has no reference to the
KeyInfo.
--
TAMURA Kent @ Tokyo Research Laboratory, IBM
Received on Tuesday, 3 October 2000 01:37:45 UTC