W3C home > Mailing lists > Public > public-p3p-spec@w3.org > May 2003

Re: Rationale for XML Digital Signature

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 7 May 2003 09:03:07 +0200
To: Public-P3p-Spec <public-p3p-spec@w3.org>
Message-ID: <20030507070307.GL4523@localhost>

On Tue, May 06, 2003 at 12:52:03PM -0400, Joseph M. Reagle Jr. wrote:
> 1. Would it lead to the presumption that a unsigned P3P policy is somehow 
> less committed to or binding?

I don't think by adding non-repudiation to a P3P Policy one reduces the
meaning or value of a non-signed policy. The signature does not add
meaning to the policy. It is only a question of evidence.

> 2. Who exactly is validating the signature? This isn't something users are 
> likely to comprehend or be able to easily do. (How is it that they are 
> getting the service's public key for the validation, this presumes a level 
> of infrastructure and knowledge which is not yet present.)

That's actually a good question. I would _love_ to see native XML
Signature support in browsers to be able to sign XHTML-pages (for courts
and laws e.g.). But I agree, we are far from there.
> 
> So I think a signed privacy is a nice exercise, but don't find it that 
> compelling in the b2c scenario and might weaken the interpretation of a 
> unsigned policy.

It might create yet another incentive to implement XML Sig into an
agent. I think the signature requirement is more or less a requirement
to be able to link old-style paper procedures with digital ones without
to much change. (see EU-Directive on Sig that create an _equivalent_ to
handwritten signature)

So for me, it's a nice enhancement, but not a must be. In fact, it might
be nice to have a common way to do signatures on policies, if there are
many ways to implement that. But Jo, you can tell better _if_ there are
really many ways..

Rigo
Received on Wednesday, 7 May 2003 03:03:14 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:24 EST