- From: Ari Kermaier <arik@phaos.com>
- Date: Fri, 19 Apr 2002 15:14:59 -0400
- To: w3c-ietf-xmldsig@w3.org
Dear All, In the new interop test set, merlin-xmldsig-twenty-three, there is one test signature that troubles me a little. The one called signature-x509-crt-crl.xml implies signature validation processing that isn't really described by the specification. It's all well and good that the X509Data element can be used to transport a CRL. However, actually using the CRL should be part of certificate path validation, rather than signature validation per se. I mean, we might as well be testing whether DSig implementations can correctly parse an AuthorityInfoAccess extension in the certificate and execute an OCSP lookup based on the contents. So, IMHO, deciding to check a certificate against a CRL is application-specific functionality that shouldn't really be introduced into interop testing for the DSig spec in general. Cheers, Ari Ari Kermaier arik@phaos.com Senior Software Engineer Phaos Technology Corp. http://www.phaos.com/
Received on Friday, 19 April 2002 15:13:14 UTC