- From: Paul Hoffman / IMC <phoffman@imc.org>
- Date: Wed, 16 Aug 2000 14:59:24 -0700
- To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>, "John Boyer" <jboyer@PureEdge.com>
- Cc: <xml-names-editor@w3.org>, <www-xml-infoset-comments@w3.org>, "XML DSig" <w3c-ietf-xmldsig@w3.org>
At 4:45 PM -0400 8/16/00, Donald E. Eastlake 3rd wrote: > ><dsig:Reference xmlns:dsig="&dsig;" URI="#X" dsig:URI="#Y> >>... >> >>If my implementation picks up URI and your implementation picks up dsig:URI, >>then only one of us will correctly validate this beastly signature. > >While a bad state of affairs we should avoid, I would put 90%+ of the >blame for such a non-interoperability on the software which generated >the above Reference. DANGER, DANGER, WILL ROBINSON! This is exactly the attitude that got X.509/PKIX into the sorry state it is in today. If you want interoperability between signature creators and validators, you MUST prevent any ambiguity about how to interpret abominations like the above. > >Below you state, "If the text documenting N and/or E doesn't tell you what >>to do here, you get to toss a coin or something." Tossing a coin undermines >>the interoperability that is supposedly the cornerstone of XML. The 'if' >>part of your statement should not be true for any application of XML, and >>therefore not for XML DSig in particular. > >Sure it shouldn't but I bet it is for most. Then why even continue with this work? IETF work is meant to assure interoperability, not just "look, we came up with another format for an interesting type of data". This WG has the opportunity to make XML digsigs very useful, but if you can't even get them more interoperable than those in CMS or even PGP, they won't be very popular, which would be sad. (I say this as someone who holds his nose when I need to wade through ASN.1 but just wince when I have to use XML.) --Paul Hoffman, Director --Internet Mail Consortium
Received on Wednesday, 16 August 2000 18:00:07 UTC