If the actual credentials are to be stored
in a CPA or CPA template (where those
credentials may be some userid/name and
password combination), then we would need
to wait until XML Encryption is done to
obtain the necessary data confidentiality.
We have considered these issues previously
on several occasions (for example, for ftp
user, password, and directories to be used...).
Each time we have had reservations about
storing these items within a CPA. One reason
beyond data confidentiality issues, is that
these credentials are subject to different
policies concerning expiration, unilateral
changeability, and so on. (We don't
want to invalidate a CPA signature because
of a change in passwords, necessarily.)
Possibly we could use an xlink/xpointer/URI to
within the CPA to reference a generalized credential
container if there is a need to establish links between
CPAs and credentials. (This credential
container would be something like
the pkcs12 container used for keypairs;
I haven't yet encountered an XML credential
store container format that has been proposed,
though.)
Dale Moberg