- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Wed, 11 Oct 2000 16:09:18 -0400
- To: TAMURA Kent <kent@trl.ibm.co.jp>
- Cc: w3c-ietf-xmldsig@w3.org
At 17:28 10/6/2000 +0900, TAMURA Kent wrote: >But my question was that the order of canonicalizing SignedInfo >(3.2.2 1) and obtaining the key (3.2.2 2) was really REQUIRED? Ok, the text reads as below. However, I still have a question about the requirements over KeyInfo. If KeyInfo is provided and it doesn't contain a key that validates the Signature, but another Key can be found that does, is the signature valid? Basically, is the "or" in "keying information from KeyInfo or from an external source" is exlusive, or a "and/or". 3.2.2 Signature Validation 1. Obtain the keying information from KeyInfo or from an external source. 2. Obtain the canonical form of the SignatureMethod using the CanonicalizationMethod and use the result (and previously obtained KeyInfo) to validate the SignatureValue over the SignedInfo element. Note, KeyInfo (or some transformed version thereof) may be signed via a Reference element. Validation of this reference (3.2.1) is orthogonal to Signature Validation which uses the KeyInfo as parsed. Additionally, the SignatureMethod URI may have been altered by the canonicalization of SignedInfo (e.g., absolutization of relative URIs) and it is the canonical form that MUST be used. However, the required canonicalization [XML-C14N] of this specification does not change URIs. __ Joseph Reagle Jr. W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/People/Reagle/
Received on Wednesday, 11 October 2000 16:09:41 UTC