At 3:07 PM -0600 5/27/05, The Purple Streak, Hilarie Orman wrote:
The Key Info is part of the XMLDigSig, but it is not required. Because it tells you where and how to obtain the pertinent certificate, it could be a boon for this particular application. There is no need to keep the signer secret, so I'd think it should be required.
This is the kind of thing we can do in the implementer's guidelines.
It doesn't solve the chain-of-trust problem, though.
Nothing does :-) . Or is that :-( ? --Paul Hoffman, Director --Internet Mail Consortium
