On Nov 2, 2012, at 7:52 AM, Jeroen van der Ham <vdham@uva.nl> wrote:

Hi,

Last call we briefly discussed the issue of the identifiers and their relation to the security section of the schema document.

I've tried to write something for this, and I would appreciate feedback:

Implementers should be aware that the NML descriptions do not provide any guarantee regarding the integrity nor the authenticity. The NML documents also can not provide this for the identifiers contained in the documents. Implementers should use external means of verifying the authenticity of identifiers contained in the documents.

I think the focus on identifiers is wrong. The issue is that if nml description A creates an element named X, and nml description B has an element named X, there is no way to define which X is correct, and in fact, the "merge all X's into a single X" means that X, whatever it may be, is the combination of the X's in nml descriptions A and B.

I might word it like:

Implementers should be aware that the NML descriptions do not have any guarantees regarding the integrity nor the authenticity. It is Implementers should use external means of verifying the integrity and authenticity of the elements contained in NML descriptions.

Cheers,
Aaron

TIP2013, University of Hawaii Mānoa
January 13 - January 17, 2013, Honolulu, HI
http://events.internet2.edu/2013/tip/