- From: Joseph Reagle <reagle@w3.org>
- Date: Wed, 9 Jan 2002 11:46:23 -0500
- To: edsimon@xmlsec.com, w3c-ietf-xmldsig@w3.org
- Cc: manoj@infomosaic.com
On Tuesday 08 January 2002 20:59, edsimon@xmlsec.com wrote: > a) a basic verify() method that simply indicates whether the XML > Signature is valid or not (I think all Toolkits already do at least this) I agree with your suggestion but at a completely editorial-nit-picking level I'd recommend that such methods be called "validate". For better-or-worse that's the word the specification uses. (I understand this is inconsistent with other usage but it is consistent (in my understanding) with RFC2828 in that we needed to strongly focus on our "0-to-light-weight" signature semantics: Signature Validation is "a process intended to establish the soundness or correctness of a construct." xmldsig ruled trust out of scope and consequently says nothing with respect to the truth, accuracy, or trustworthiness of the thing being signed, only in the soundness of the XML Signature.) [1] http://www.ietf.org/rfc/rfc2828.txt ISDs SHOULD comply with the following two rules to ensure consistency and to align Internet security terminology with ordinary English: - Rule 1: Use "validate" when referring to a process intended to establish the soundness or correctness of a construct. (E.g., see: certificate validation.) - Rule 2: Use "verify" when referring to a process intended to test or prove the truth or accuracy of a fact or value. (E.g., see: authenticate.) The rationale for Rule 1 is that "valid" derives from a word that means "strong" in Latin. Thus, to validate means to make sure that a construction is sound. A certificate user validates a public-key certificate to establish trust in the binding that the certificate asserts between an identity and a key. (To validate can also mean to officially approve something; e.g., NIST validates cryptographic modules for conformance with FIPS PUB 140-1.) The rationale for Rule 2 is that "verify" derives from a word that means "true" in Latin. Thus, to verify means to prove the truth of an assertion by examining evidence or performing tests. To verify an identity, an authentication process examines identification information that is presented or generated. To validate a certificate, a certificate user verifies the digital signature on the certificate by performing calculations; verifies that the current time is within the certificate's validity period; and may need to validate a certification path involving additional certificates. -- Joseph Reagle Jr. http://www.w3.org/People/Reagle/ W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature/ W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
Received on Wednesday, 9 January 2002 11:46:55 UTC