This document:Public document·Annotated document·View comments·Search comments·Add a new comment·Send replies to comments·Disposition of Comments·
Nearby:XML Security Working Group
Other specs in this tool
Quick access to LC-2502
There are 3 comments (sorted by their types, and the section they are about).
On Mon, Jun 20, 2011 at 3:21 PM, Cantor, Scott E. <firstname.lastname@example.org> wrote:
> On 6/20/11 8:37 AM, "Marcos Caceres" <email@example.com> wrote:
>>Is there some means to explicitly indicate the order in which
>>certificates in an xml dig sig file should be processed? The problem
>>is that if you screw up the certificate order in the xml file, the
>>validator (e.g,. xmlsec) does not know which cert is the end-entity.
> BP is EE first, the rest after (and technically the order of the rest
> isn't supposed to matter).
Can I get an assurance from the XML Sec working group that a
non-normative note will be added to the XML Dig Sig specification wrt
to this best practice? Please consider this comment implementer
feedback on the CR.
Add link and informative reference to XML SIgnature Best Practices document to XML Signature 1.1 introduction.
Section 4.5, paragraph 2:
"If KeyInfo is omitted, the recipient is expected to be able to identify the key
based on application context. Multiple declarations within KeyInfo refer to the
same key. While applications may define and use any mechanism they choose
through inclusion of elements from a different namespace, compliant versions
must implement KeyValue (section 4.5.2 The KeyValue Element) and should
implement RetrievalMethod (section 4.5.3 The RetrievalMethod Element)."
These requirements seem like they should be revisited, especially since a later
section says to avoid RetrievalMethod because of potential security concerns
(see Note in section 4.5.10). Also, does this imply that all KeyValues must be
supported? I would think it should only be supported if there is a required
signature algorithm for the corresponding key type. Had there ever been any
discussion about updating the list of required KeyInfo types?
Add a comment.