Comments on AuthXML 11/22/00 from Joseph M. Reagle Jr. on 2000-12-20 (www-archive@w3.org from December 2000)

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Wed, 20 Dec 2000 15:54:18 -0500
To: authxml-contrib@authxml.org
Cc: www-archive@w3.org
Message-Id: <4.3.2.7.2.20001220153356.02b36ef8@rpcp.mit.edu>

Howdy, some quick comments (since it's PDF, it makes it a little harder for 
me to put comments in context (and grep through) since it's not easy to quote)
:
Document still has confidential notice in footer.

2.1.2: The first two sentences are sort of confusing and "entity" risks 
collision/confusion with both XML and HTTP.

3.1.1.2: Too bad ID is type xsd:string (and not xsd:ID), but understandable 
given you want to use integer as first character in identifier (prohibited 
by XML)

3.1.1.3: <field name="foo">bar</field>: it'd be cleaner if folks could just 
plug in their own XML instances from an external namespace.

3.1.5.2 and 5: extension is a complexType of mixed="true" but no content 
element types are defined, so this only permits character data (right?). I 
think you want to make use of <ANY> here. Also, if you intend the content of 
extension to be only elements, you can rely upon the namespace and can 
remove the need for the extension type attribute which will then be 
redundant with the namespace.

7.1: Finally, I'm not exactly sure of the binding with XML Signature. Is 
your intent to have the Signature be an enveloping Signature only, with only 
its very weak meaning: some key applied to octets? Or do you want to work 
with detached, enveloped, and enveloping? If enveloped, then you should 
define a place in your schema for it; furthermore this allows you to better 
define its meaning in your application context.

<access-request>
   ...
   <authentication>
     <dsig:Signature>
      ...
      </dsig:Signature>
   </authentication>
</access-request>

So in this instances you get to define what a authenticated access-request is.

(You can do the same with enveloping or detached signature by inclusion of 
the meaning in the  SignatureProperty [2].)

[1] http://www.authxml.org/docs/draft-authxml-v2.pdf
[2] http://www.w3.org/2000/12/xmldsig-p3p-profile/Overview.html#sec-Semantics

__
Joseph Reagle Jr.
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/

Received on Wednesday, 20 December 2000 15:55:19 UTC