- From: Sean Mullan <sean.mullan@oracle.com>
- Date: Wed, 29 Jun 2011 15:24:36 -0400
- To: XMLSec WG <public-xmlsec@w3.org>
Section 4.5, paragraph 2: "If KeyInfo is omitted, the recipient is expected to be able to identify the key based on application context. Multiple declarations within KeyInfo refer to the same key. While applications may define and use any mechanism they choose through inclusion of elements from a different namespace, compliant versions must implement KeyValue (section 4.5.2 The KeyValue Element) and should implement RetrievalMethod (section 4.5.3 The RetrievalMethod Element)." These requirements seem like they should be revisited, especially since a later section says to avoid RetrievalMethod because of potential security concerns (see Note in section 4.5.10). Also, does this imply that all KeyValues must be supported? I would think it should only be supported if there is a required signature algorithm for the corresponding key type. Had there ever been any discussion about updating the list of required KeyInfo types? Thanks, Sean
Received on Wednesday, 29 June 2011 19:25:14 UTC