- From: Dournaee, Blake <bdournaee@rsasecurity.com>
- Date: Tue, 26 Jun 2001 01:19:17 -0700
- To: "'Joseph M. Reagle Jr.'" <reagle@w3.org>, "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
- Cc: w3c-ietf-xmldsig@w3.org, Brian LaMacchia <bal@microsoft.com>
Hello All,
I have a comment/question on the latest Dsig Recommendation. In section
4.3.3.1 (The URI Attribute), the following sentence seems to contradict the
usage of the "http://www.w3.org/2000/09/xmldsig#Manifest Type identifier in
a URI element:
"The Type attribute applies to the item being pointed at, not its contents."
That is, if the above sentence were true, then there should only be a type
identifier for <Object> (e.g. "http://www.w3.org/2000/09/xmldsig#Object") -
this is because a <Manifest> element lives inside an <Object> element, so it
should refer to the type (Object), not the contents (Manifest). This also
would coincide with the comment in the end of section 4.3.3.1 about the
proper way to identify a <SignatureProperties> element.
Finally, if no explicit validation of the "Type" information is required,
why even bother putting the restriction there in the first place? It seems
like a restriction is suggested (which appears to me to be somewhat
contradictory) and then subsequently nullified by not including a
well-defined means to enforce the restriction (e.g. Explicitly saying that
the
information will not be validated anyway).
Please be sure to set me straight if I am off the wall on any of this! :)
Kind Regards,
Blake Dournaee
Toolkit Applications Engineer
RSA Security
"The only thing I know is that I know nothing" - Socrates
-----Original Message-----
From: Joseph M. Reagle Jr. [mailto:reagle@w3.org]
Sent: Monday, June 25, 2001 11:51 AM
To: Donald E. Eastlake 3rd
Cc: w3c-ietf-xmldsig@w3.org; Brian LaMacchia
Subject: Re: Comments on 22 June Version...
[
$Revision: 1.87 $ on $Date: 2001/06/25 18:50:34 $
http://www.w3.org/Signature/Drafts/xmldsig-core/Overview.html
]
At 22:52 6/24/2001, Donald E. Eastlake 3rd wrote:
>Section 4.3.1: one occurance of "CanonicalizationMethod" has the
></code> before, instead of after, the last letter.
Fixed.
>Section 4.3.3.2: In both the DTD and Schema, the "stylesheet" element
>should occur in addition to the "XPath" element.
I think you mean 4.3.3.4? We dropped the XLST element, <stylesheet> can be
included by the app.
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2001AprJun/0025.html
>Section 4.4: The first three in the list of Type URIs is missing the
>colon (":") after the "http".
Fixed.
>Maybe I'm just missing something but why, in 4.4.3, does it say that
>keying information obtained by a RetrievalMethod "may need to be
>canonicalized"? Even if the KeyInfo is signed, the signature is over
>the RetrievalMethod element and content, not over what is retrieved,
>right?
I think this is because you "may" sign the data obtained by RetrievalMethod.
>Section 4.4.5: Seems a bit odd in just saying that PGPKeyID is a
>string. Actually, I belive, PGPKeyID's are 8 octet binary quantities
>so it would seem like it should say they are Base64 encoded...
I'm not sure. Brian?
>Section 7.3: At the end, the last points two numbered don't seem
>connected to the rest of the text. Suggest preceeding them with "To
>avoid these problems, applications may need to:" or the like.
Done.
--
Joseph Reagle Jr. http://www.w3.org/People/Reagle/
W3C Policy Analyst mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature
W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
Received on Tuesday, 26 June 2001 04:19:21 UTC