OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [security-services] Minutes for Telecon, Tuesday 29 October 2002


>     - Discussion of listing in our specs of C14N as SHOULD vs. MUST
>         - appears to be a SHOULD in current spec
>     - Discussion of whether the current problem is one where
>       verification would succeed when it shouldn't or whether the 
>       verification would fail when it shouldn't
>         - general uncertainty

Just a quick comment, if I understand the basic context...

In general the C14N issues in the spec vs. what's needed would cause
failure in some contexts that should be valid, so that's (I guess) the
better of the two answers.

The other issues in the draft are really about interop and about stuff
you need to do in different cases to properly validate the signature so
that naïve implementers (like me for instance) don't think just running
a
verify() method in their library tells them what they need to know.

>     - Ron: sounds like whatever is recommended in the spec currently
>       doesn't preclude anyone from doing the right thing, but it does
>       recommend doing the wrong thing

Using inclusive C14N is only the wrong thing in WS-Security and certain
other contexts, but is perfectly ok for the POST profile, for example.
So it's not so much right/wrong as just "use the right tool for the
job".

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC