W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2001

signer authentication

From: Dournaee, Blake <bdournaee@rsasecurity.com>
Date: Mon, 4 Jun 2001 23:43:31 -0700
Message-ID: <E7B6CB80230AD31185AD0008C7EBC4D2DAED6F@exrsa01.rsa.com>
To: "'Joseph M. Reagle Jr.'" <reagle@w3.org>
Cc: "'w3c-ietf-xmldsig@w3.org'" <w3c-ietf-xmldsig@w3.org>

I am a bit concerned with the use of the term "signer authentication" in the
dsig recommendation. These two
sentences from the dsig (coupled with the definition of "signer
authentication" from the glossary) seem to contradict
each other:

"... XML Signatures provide integrity, message authentication, and/or signer
authentication services for data of any type.."

"The XML Signature is a method of associating a key with referenced data
(octets); it does not normatively
specify how keys are associated with persons or institutions..."

The first sentences says that we support signer authentication and the
second sentences says that we don't. I think it is clear that there is no
way to validate the verification-key-to-person relationship (XML dsig can't
do path validation by itself) using only XML dsig, so I am really wondering
about the definition of "signer authentication services." 

Is it necessary to say that XML dsig supports signer authentication
services? Is this refering to the inclusion of verification material in the
signature itself (such as <KeyInfo>)?


Blake Dournaee
Received on Tuesday, 5 June 2001 02:41:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:10:05 UTC