Re: Verification Response Proposal: Toolkits ought to return bytes of verified data to the application

• From: Joseph Reagle <reagle@w3.org>
• Date: Wed, 9 Jan 2002 11:46:23 -0500
• To: edsimon@xmlsec.com, w3c-ietf-xmldsig@w3.org
• Cc: manoj@infomosaic.com
• Message-Id: <200201091646.LAA20995@tux.w3.org>

On Tuesday 08 January 2002 20:59, edsimon@xmlsec.com wrote:
> a) a basic verify() method that simply indicates whether the XML
> Signature is valid or not (I think all Toolkits already do at least this)

I agree with your suggestion but at a completely editorial-nit-picking 
level I'd recommend that such methods be called "validate". For 
better-or-worse that's the word the specification uses. (I understand this 
is inconsistent with other usage but it is consistent (in my understanding) 
with RFC2828 in that we needed to strongly focus on our "0-to-light-weight" 
 signature semantics: Signature Validation is "a process intended to 
establish the soundness or correctness of a construct." xmldsig ruled trust 
out of scope and consequently says nothing with respect to the truth, 
accuracy, or trustworthiness of the thing being signed, only in the 
soundness of the XML Signature.)

[1] http://www.ietf.org/rfc/rfc2828.txt

      ISDs SHOULD comply with the following two rules to ensure
      consistency and to align Internet security terminology with
      ordinary English:

       - Rule 1: Use "validate" when referring to a process intended to
         establish the soundness or correctness of a construct. (E.g.,
         see: certificate validation.)

       - Rule 2: Use "verify" when referring to a process intended to
         test or prove the truth or accuracy of a fact or value. (E.g.,
         see: authenticate.)

      The rationale for Rule 1 is that "valid" derives from a word that
      means "strong" in Latin. Thus, to validate means to make sure that
      a construction is sound. A certificate user validates a public-key
      certificate to establish trust in the binding that the certificate
      asserts between an identity and a key. (To validate can also mean
      to officially approve something; e.g., NIST validates
      cryptographic modules for conformance with FIPS PUB 140-1.)

      The rationale for Rule 2 is that "verify" derives from a word that
      means "true" in Latin. Thus, to verify means to prove the truth of
      an assertion by examining evidence or performing tests. To verify
      an identity, an authentication process examines identification
      information that is presented or generated. To validate a
      certificate, a certificate user verifies the digital signature on
      the certificate by performing calculations; verifies that the
      current time is within the certificate's validity period; and may
      need to validate a certification path involving additional
      certificates.



-- 

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

Received on Wednesday, 9 January 2002 11:46:55 UTC