- From: Phillip M Hallam-Baker <pbaker@verisign.com>
- Date: Wed, 16 Jun 1999 10:18:26 -0400
- To: "Barb Fox (Exchange)" <bfox@Exchange.Microsoft.com>, <david.solo@citicorp.com>, "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
>There > is no compelling need for attributes (authenticated or not) when > you already > have the expressive power of XML. If a signer wants to make qualified > statements about a particular XML blob, then the signer should make those > statements in XML (perhaps including a strong reference/hash of > the original > blob) and sign *that*. In any event, you're always signing a > particular XML > object. And what when a single document must be signed more than once? Most E-Commerce protocols will involve signatories and counter-signatories up the wazoo. Also from the implementation standpoint, attibutes directly attached to signatures are easier to deal with. The signing hardware (if used) is unlikely to see (or want to see) the entire document. Even so a signing token may well want to insert disclaimers such as 'not valid for more than $10,000'. Phill
Received on Wednesday, 16 June 1999 10:17:27 UTC