Marcos I have added a comment in our tracker tool regarding addition of an informative reference and link to XML Signature Best Practices to Introduction/References of XML Signature 1.1 (and implicitly XML Signature 2.0 as well).
See LC-2504 : http://www.w3.org/2006/02/lc-comments-tracker/42458/CR-xmldsig-core1-20110303/2504 I've also recorded and marked as resolved the issue related to certificate order, LC-2503, http://www.w3.org/2006/02/lc-comments-tracker/42458/CR-xmldsig-core1-20110303/2503 regards, Frederick Frederick Hirsch, Nokia Chair XML Security WG On Jun 28, 2011, at 6:16 PM, ext Marcos Caceres wrote: > HI Fredrick, XML Sec WG, > > On Tue, Jun 28, 2011 at 8:43 PM, <frederick.hir...@nokia.com> wrote: >> Marcos >> >> The XML Security WG discussed your proposed addition regarding certificate >> ordering at our teleconference today [1]. >> >> The Working Group does not agree to change the core XML Signature >> specification as these would not be normative changes to that specification. >> The XML Signature specification focuses on the details of signing but as a >> design choice does not detail generic PKI considerations (or details related >> to the various KeyInfo materials that have schema places in the >> specification) [2]. >> > > Understood. > >> The sense of the Working Group is that a profile of XML Signature, such as >> Widget SIgnature would be an appropriate place to note practices or >> restrictions important to that specification. >> > > I will add this non-normative note to the Widget Signature specification. > >> However, the XML Security WG does have a non-normative XML Signature Best >> Practices document [3] and could add material such as this to it, which >> would probably also make sense. Would you be able to craft language for a >> best practice (the document uses a format of expressing the issue, a short >> statement of the practice and then details). >> > > I'd be happy to proposed some text. I'll just send you whatever ends > up in the Widget Sig specification. > > Additionally, it is great that the XML Security Working Group has > created a best practices document. I would encourage the Working Group > to link to the best practices from the Introduction of the > specification or as a non-normative reference. Or add it under the > Editors as a link in the header of the document, so it can be quickly > and easily found. > > Again, I speak from having dealt with numerous (~7) companies trying > to implement XML Dig Sig 1.1 + the Widgets Signature spec. There is *a > lot* of confusion about this stuff out there and a lot of frustration > because its super hard to find any useful guidance or information > easily. > > I urge the working group, please: this is a pretty good technology and > it's not that hard to use once you understand what is going on. The > more guidance this working group can provide, the better. I'll do my > bit on the Widget Dig Sig side, but you guys also have a > responsibility to make XML Dig Sigs a pleasant experience to use (from > a specification, implementation, and author perspective). At least > linking to the best practices guide from the spec is a step in the > right direction, even if you don't include a non-normative note about > it. > > Kind regards, > Marcos > -- > Marcos Caceres > http://datadriven.com.au