- From: Dournaee, Blake <bdournaee@rsasecurity.com>
- Date: Mon, 4 Jun 2001 23:43:31 -0700
- To: "'Joseph M. Reagle Jr.'" <reagle@w3.org>
- Cc: "'w3c-ietf-xmldsig@w3.org'" <w3c-ietf-xmldsig@w3.org>
Joseph, I am a bit concerned with the use of the term "signer authentication" in the dsig recommendation. These two sentences from the dsig (coupled with the definition of "signer authentication" from the glossary) seem to contradict each other: "... XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type.." "The XML Signature is a method of associating a key with referenced data (octets); it does not normatively specify how keys are associated with persons or institutions..." The first sentences says that we support signer authentication and the second sentences says that we don't. I think it is clear that there is no way to validate the verification-key-to-person relationship (XML dsig can't do path validation by itself) using only XML dsig, so I am really wondering about the definition of "signer authentication services." Is it necessary to say that XML dsig supports signer authentication services? Is this refering to the inclusion of verification material in the signature itself (such as <KeyInfo>)? Thanks, Blake Dournaee
Received on Tuesday, 5 June 2001 02:41:09 UTC