Re: Determining attribute uniqueness seems to require namespace prefix in Infoset

At 4:45 PM -0400 8/16/00, Donald E. Eastlake 3rd wrote:
>  ><dsig:Reference xmlns:dsig="&dsig;" URI="#X" dsig:URI="#Y>
>>...
>>
>>If my implementation picks up URI and your implementation picks up dsig:URI,
>>then only one of us will correctly validate this beastly signature.
>
>While a bad state of affairs we should avoid, I would put 90%+ of the
>blame for such a non-interoperability on the software which generated
>the above Reference.

DANGER, DANGER, WILL ROBINSON! This is exactly the attitude that got 
X.509/PKIX into the sorry state it is in today. If you want 
interoperability between signature creators and validators, you MUST 
prevent any ambiguity about how to interpret abominations like the 
above.

>  >Below you state, "If the text documenting N and/or E doesn't tell you what
>>to do here, you get to toss a coin or something."  Tossing a coin undermines
>>the interoperability that is supposedly the cornerstone of XML. The 'if'
>>part of your statement should not be true for any application of XML, and
>>therefore not for XML DSig in particular.
>
>Sure it shouldn't but I bet it is for most.

Then why even continue with this work? IETF work is meant to assure 
interoperability, not just "look, we came up with another format for 
an interesting type of data". This WG has the opportunity to make XML 
digsigs very useful, but if you can't even get them more 
interoperable than those in CMS or even PGP, they won't be very 
popular, which would be sad. (I say this as someone who holds his 
nose when I need to wade through ASN.1 but just wince when I have to 
use XML.)

--Paul Hoffman, Director
--Internet Mail Consortium

Received on Wednesday, 16 August 2000 18:00:07 UTC