Edit comment LC-2502 for XML Security Working Group

Quick access to

Previous: LC-2504

Comment LC-2502
Commenter: Sean Mullan <sean.mullan@oracle.com>

Resolution status:

Section 4.5, paragraph 2:

"If KeyInfo is omitted, the recipient is expected to be able to identify the key
based on application context. Multiple declarations within KeyInfo refer to the
same key. While applications may define and use any mechanism they choose
through inclusion of elements from a different namespace, compliant versions
must implement KeyValue (section 4.5.2 The KeyValue Element) and should
implement RetrievalMethod (section 4.5.3 The RetrievalMethod Element)."

These requirements seem like they should be revisited, especially since a later
section says to avoid RetrievalMethod because of potential security concerns
(see Note in section 4.5.10). Also, does this imply that all KeyValues must be
supported? I would think it should only be supported if there is a required
signature algorithm for the corresponding key type. Had there ever been any
discussion about updating the list of required KeyInfo types?

(space separated ids)
(Please make sure the resolution is adapted for public consumption)

Developed and maintained by Dominique Hazaël-Massieux (dom@w3.org).
$Id: 2502.html,v 1.1 2017/08/11 06:45:12 dom Exp $
Please send bug reports and request for enhancements to w3t-sys.org