On Fri, 27 May 2005 at 13:02:17 -0700 Paul Hoffman spoke thusly: > At 12:57 PM -0600 5/27/05, The Purple Streak, Hilarie Orman wrote: > >Do you intend to require Keyinfo in the Signature element? Any > >requirements on that?
> In the base format spec, we are simply relying on XMLDigSig. If that > turns out to be insufficient, we'll certainly add advice about what > signed feeds and entries should do. > --Paul Hoffman, Director > --Internet Mail Consortium The Key Info is part of the XMLDigSig, but it is not required. Because it tells you where and how to obtain the pertinent certificate, it could be a boon for this particular application. There is no need to keep the signer secret, so I'd think it should be required. It doesn't solve the chain-of-trust problem, though. Hilarie