- From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
- Date: Thu, 01 Feb 2001 21:59:38 -0500
- To: w3c-ietf-xmldsig@w3.org
- cc: lde008@dma.isg.mot.com
I think the various sides of this issue
<http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2001JanMar/0039.html>
have been well argued and that it is unlikely there will be much
furhter change in opinion. The consensus of the Working Group is for
option 2 and we will proceed on the basis of that choice. This also
means including clearer criterion as to when elements other than those
we have defined can be included within the {X509|PGP|SPKI}Data
element.
I suggest the text in the editors draft at
<http://www.w3.org/Signature/Drafts/xmldsig-core/Overview.html#sec-KeyInfo>
be changed to be the HTML appended below.
Thanks,
Donald
=====================================================================
Donald E. Eastlake 3rd dee3@torque.pothole.com
155 Beaver Street +1 508-634-2066(h)
Milford, MA 01757 USA +1 508-261-5434(w)
<h3>4.4 The <a id="sec-KeyInfo" name="sec-KeyInfo"><code>KeyInfo</code></a> Element</h3>
<p><code>KeyInfo</code> is an optional element that assists the recipient(s) in obtaining the
key needed to validate the signature. <code>KeyInfo</code> may contain keys, names,
certificates and other public key management information, such as in-band key distribution
or key agreement data. This specification defines a few types but applications may
extend those types or all-together replace them with their own key identification and
exchange semantics using the XML namespace facility. [<a href="#ref-XML-ns">XML-ns</a>]</p>
<p>If <code>KeyInfo</code> is omitted, the recipient is expected to be able to identify
the key based on application context information. Multiple declarations within <code>KeyInfo</code>
refer to the same key. While applications may define and use any mechanism they choose
through inclusion of elements from a different namespace, compliant versions MUST
implement <a href="#sec-KeyValue"><code>KeyValue</code></a> (section 4.4.2) and SHOULD
implement <code><a href="#sec-RetrievalMethod">RetrievalMethod</a></code> (section 4.4.3).</p>
<p>The following list summarizes the <code>KeyInfo</code> types defined by this
specification; these can be used within the <code>RetrievalMethod</code> <code>Type</code>
attribute to describe the remote <code>KeyInfo</code> structure as represented as an octet
stream.</p>
<ul>
<li><a href="http://www.w3.org/2000/09/xmldsig#X509Data">http://www.w3.org/2000/09/xmldsig#X509Data</a></li>
<li><a href="http://www.w3.org/2000/09/xmldsig#PGPData">http://www.w3.org/2000/09/xmldsig#PGPData</a></li>
<li><a href="http://www.w3.org/2000/09/xmldsig#SPKIData">http://www.w3.org/2000/09/xmldsig#SPKIData</a></li>
<li><a href="http://www.w3.org/2000/09/xmldsig#MgmtData">http://www.w3.org/2000/09/xmldsig#MgmtData</a></li>
</ul>
<p>The schema/DTD specifications of these types permit their children
elements to be extended/complemented with elements from another namespace. This may be done only
if it is safe to ignore these extension elements. If extension elements are added that must be
considered by a verifier, then a new child of <code>KeyInfo</code> should be defined. Such a new
child may incorporate our elements, such as <code>X509Certificate</code>, and XML schema can be
used to describe the relation of such a new <code>KeyInfo</code> child to the <code>KeyInfo</code>
children we specify.</p>
<p>New <code>KeyInfo</code> children in another namespace might also be defined for entirely
new types of <code>KeyInfo</code> data or <em>alternative</em>
structures to those we define. For example, should a complete XML-PGP standard be defined, it could be used
as a new element in a different namespace that would be a child of <code>KeyInfo</code>.
Should someone define "optional" extensions
to the <code>ds:PGPData</code> children which can be safely ignored, they can be included as siblings.
In either case,
their element types will be in an external namespace.</p>
<p>In addition to the types above for which we define structures, we specify one
additional type to indicate a <a name="rawX509Certificate" id="rawX509Certificate">binary (ASN.1 DER)
X.509 Certificate</a>.
<ul>
<li><a href="http://www.w3.org/2000/09/xmldsig#rawX509Certificate">http://www.w3.org/2000/09/xmldsig#rawX509Certificate</a></li>
</ul>
<pre class="xml-dtd">
Schema Definition:
<complexType name="KeyInfoType" mixed="true">
<!-- (0,unbounded) elements from (0,unbounded) namespaces -->
<choice maxOccurs="unbounded">
<element name="KeyName" type="string"/>
<element name="KeyValue" type="ds:KeyValueType"/>
<element name="RetrievalMethod" type="ds:RetrievalMethodType"/>
<element name="X509Data" type="ds:X509DataType"/>
<element name="PGPData" type="ds:PGPDataType"/>
<element name="SPKIData" type="ds:SPKIDataType"/>
<element name="MgmtData" type="string"/>
<any processContents="lax" namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
</choice>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
</pre>
<pre class="xml-dtd">
DTD:
<!ELEMENT KeyInfo (#PCDATA|KeyName|KeyValue|RetrievalMethod|
X509Data|PGPData|SPKIData|MgmtData %KeyInfo.ANY;)* >
<!ATTLIST KeyInfo
Id ID #IMPLIED >
</pre>
Received on Thursday, 1 February 2001 21:59:37 UTC