Joel,
I was specifically referring to the issue you raised regarding requiring
digital signatures on payloads.
BTW the rationale for this requirement was that since registries cannot
afford to verify integrity of submitted content and their source, a digital
signature would at least provide a link to the source of the content.
Of course I agree that typos and the "public
vs. private bug" must be fixed in 2.1. I do however disagree that a second
review cycle and vote should be necessary for fixing minor typos like this.
I think we can simply say we approve the specs with specific comments they
want to make sure are addresses.
--
Regards,
Farrukh
"Munter, Joel D" wrote:
Please
see my recent response to Suresh. On the 1st two security related
issues highlighted below, I agree. However,
I strongly believe that the public vs. private bug (highlighted) below,
as well as the bunch of spelling and grammatical errors that I noted in
my original post the other day should be fixed prior to the release of
v2.1. Even if this means another review/approval cycle. Joel
Joel,
V2.1 is intended to be a bug fix release and not for arbitrary changes
to the spec. We have required digital signatures on payloads since the
earliest versions of the specs. This was not objected to by anyone in V1.0
or V2.0. Making any changes here would be major and I would advice strongly
against it.
--
Regards,
Farrukh
"Munter, Joel D" wrote:
My
primary argument is, "financial and technological barriers to entry."
Certificate acquisition and management are not free and not trivial.
From a practical point, I may choose to make some things that I publish,
purely public and dsig just simply is not required. I want to be
able to choose what I sign. imho Signing entries should be optional.
It has been suggested (by others) that the first two might be reconsidered
in the V3 timeframe.Joel
Joel,Responses
to your security related, "non-typo" type of comments below.Regards,-Suresh
Sterling Commerce
<snip>line
3696:3697: I still believe that this specification should NOT mandate digital
signature for all content per the statement "The
Registry Client has to sign the contents before submission - otherwise
the content will be rejected."line
3733:3734: I have the same objection to mandating digital signatures on
payloads per the text "This
packaging assumes that the payload is always signed."
[Damodaran,
Suresh] What is your rationale behind your objection?line
3876:3877: Should the second occurrence of public key in the following
sentence, "To
validate a signature, the recipient of the signature needs the public key
corresponding to the signer's public key.," actually be private
key? If not then something else seems very awkward about this sentence.
[Damodaran,
Suresh] You are right. It should be "private key." <snip>
|