W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 1999

RE: Clarification on URIs

From: Richard D. Brown <rdbrown@GlobeSet.com>
Date: Tue, 15 Jun 1999 10:15:34 -0500
To: "'Joseph M. Reagle Jr.'" <reagle@w3.org>, "'John Boyer'" <jboyer@uwi.com>
Cc: "'Dsig group'" <w3c-ietf-xmldsig@w3.org>
Message-ID: <006501beb741$eb096010$0bc0010a@artemis.globeset.com>
Joseph,

The second requirement "XML-Signatures can be applied to any Web resource.
Consequently, XML-Signature referants are identified with URIs" may have
huge implications on composite documents. According to the XLink
specifications, if the URI is provided then it shall refer to the
"containing resource." Therefore it seems that a signature will be
verifiable only in the context of the original document, thus preventing
verification on composite documents.

In the XML-DSIG draft specification, I have proposed the use of XLink
because they do not mandate the URI portion. By default, an XLink refers to
the containing resource, thence allowing relative references. I strongly
feel that mandating the use of URI will render the specification
inapplicable to XML applications that heavily rely upon composition (IOTP,
eCheck, BIPS...). Recall that, before all, they authenticate XML elements
and not necessarily XML documents.

Mandating the use of URI implies that a composite document shall refer to
the original resources (elements) instead of embedding a copy of these
resources. Though this might be doable and certainly closer to the Web
philosophy, it requires either the adoption of some form of packaging (i.e.
CBL) or dynamic access to the resources referred by the composite document
(similar to fetching embedded objects in a HTML page). Though the latter may
have many benefits (synchronization among other things), it might be quite
difficult to implement in the real world (i.e.granted access to authorized
users, especially in a n-tier communication framework).

Sincerely,

Richard D. Brown
Software Architect - R&D
GlobeSet, Inc. Austin TX - U.S.


 -----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of Joseph M. Reagle Jr.
Sent: Monday, June 14, 1999 10:06 AM
To: John Boyer
Cc: Dsig group
Subject: Re: Clarification on URIs


    At 02:53 PM 6/11/99 -0700, John Boyer wrote:
    >>>>

        The reason I asked this was that if 3.a.2 is in fact referring to
resources locators in the manifest, then isn't requirement 3.a.2 redundant
(specifically a subset of requirement 3.a.3)?


    <<<<

    Hrmm... it is slightly confusing. I think what I am saying is that

    3.a.2. all "first class" objects/resources are referenced by URIs.
    3.a.3 whenever possible, all resource and algorithms identifiers are
first class objects, and consequently referenced by URIs.

    I reworked the section to try to reflect that:

    Signature Data Model and Syntax

    1. XML-Signature will use the RDF data model [RDF] but need not use
    the RDF serialization syntax. [Charter]
    2. XML-Signatures can be applied to any Web resource. Consequently,
    XML-Signature referants are identified with URIs. [Beners-Lee,
    Reagle]
    3. XML-Signatures are first class objects themselves, and
    consequently referenceable and signable. [Beners-Lee, Reagle]
    4. Whenever possible, any resource or algorithm identifier is a first
    class object, and identified by a URI. [Beners-Lee, Reagle]
    5. The solution shall enable authentication of internal and external
    resources by use of the Manifest. [Brown]
    _________________________________________________________
    Joseph Reagle Jr.
    Policy Analyst mailto:reagle@w3.org
    XML-DSig Co-Chair http://w3.org/People/Reagle/
Received on Tuesday, 15 June 1999 11:17:13 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:06 GMT