W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 1999

RE: importing terminology in "XML-Signature Requirements"

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Wed, 21 Jul 1999 10:53:19 -0400
Message-Id: <3.0.5.32.19990721105319.00991e70@localhost>
To: <rdbrown@Globeset.com>
Cc: "'Dan Connolly'" <connolly@w3.org>, "'IETF/W3C XML-DSig WG'" <w3c-ietf-xmldsig@w3.org>
At 07:33 PM 7/20/99 -0500, Richard D. Brown wrote:
 >> This also touches on the issue of being able to sign
 >> the original content (the PDF file) instead of the encoded
 >> and attached version of the original content.
 >> Richard: how did you propose to do this?
 >
 >If you refer to the proposal I did to Richard Himes, it consists of
 >packaging the encoded content of the resource and the detached signature in
 >a single XML document. The encoded content is encapsulated in an XML
element
 >that displays the encoding scheme as well as the 'Web locator' associated
 >with the resource, whose content is being encapsulated. This proposal
 >assumed that the application would decode and 'cache' the packaged
resources
 >(or at least emulate such behaviors) before verification of the Resource
 >elements contained in the signature Manifest. Notice that this proposal has
 >been made in the context of a specific application and did not try to
 >address the problem in general.

So the XML Package includes the encoding algorithm and source locator, as
well as the encoded form, which encapsulated the PDF file. Now what does the
actual signature manifest locator point to: the package or the source? If
the source then it might not know to look in the package; if the package, it
should sign the package. Part of the issue here is to what degree does the
URI speak of the location and/or encoding?
 
-------
_XML Package (ID=package)
        : encoding algorithim
        : resource locator
        ____
        _Encoding form
                _______
                _PDF File (ID=source)

I think my preferred solution would be a statement about a statement: (I
sign (I am the package/encoded form of (I am a contractual statement))) ... ?

Well, this will become much clearer once I have a data model in hand. (The
encoded form is merely the value of the property "encoded as" of the actual
resource, the signature is a property of the reified form of that
statement... Obviously I need to think it through further.)
_________________________________________________________
Joseph Reagle Jr.   
Policy Analyst           mailto:reagle@w3.org
XML-Signature Co-Chair   http://w3.org/People/Reagle/
Received on Wednesday, 21 July 1999 10:53:22 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:06 GMT