W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 1999

Re: importing terminology in "XML-Signature Requirements"

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Wed, 21 Jul 1999 13:33:15 -0400
Message-Id: <3.0.5.32.19990721133315.00a30cc0@localhost>
To: Dan Connolly <connolly@w3.org>
Cc: IETF/W3C XML-DSig WG <w3c-ietf-xmldsig@w3.org>
At 10:47 AM 7/21/99 -0500, Dan Connolly wrote:
 >Yes, you can have a Web resource that is "the current edition
 >of the USA Today" but there's no one digital signature that
 >works for such a resource over time. A particular digital signature
 >applies to the content of that resource as of this morning,
 >or as of yesterday morning, but not both.

Ok, I like this distinction. (Though I still wonder what makes a resource a
resource, the fact that it has a URI -- question is re-asked below)

 >>  >So I'd suggest replacing that "signatures on Web resources"
 >>  >with "signatures on digital content." So:
 >> 
 >> This is certainly true. You can sign anything you can perform the
 >> cryptographic operation on. Is there a class of digital content that we
 >> don't wish to sign? No. Is there a class of digital object that we can't
 >> sign? Yes, that which is not addressable.
 >
 >Why don't you want to be able to sign documents that don't have
 >addresses? i.e. a document on stdin, or the following document:

Because, (I believe) we are in actuality signing the manifest, which
includes hashes of the resources. If you can't stick it in the manifest, how
do you sign it?

 >	<doc>Four score and seven years ago today</doc>
 >
 >I thought you did want to sign such content, hence
 >"portions of protocol messages" in the Introduction.

This is terminology that Don introduced and I don't completely understand; I
did speak to Don about it last week and understood it in as far as defining
an application of signatures, but not on how one actually does this. I
assume even a stream or protocol flow of XML stuff will be addressable in
some way, if only through local fragment idenitifiers. Don, can you speak to
this? Is there already an example in IOTP?

 >Another example of content that doesn't have an address:
 >the current contents of http://www.w3.org/. In a month
 >from now, the content of http://www.w3.org/ will (most likely)
 >change, and there isn't any URI that refers to the content
 >as of today (hm... actually, there is, but it's in our
 >internal CVS web space that we don't make generally available).

To play devil's advocate: the content at http://www.w3.org/ certainly does
have an address, it's "http://www.w3.org/." However, a month from now that
content no longer exists, and different content is re-using it's address. I
feel like we might be approaching the topic of "uniqueness" as well, which
we've been meaning to chat about.

Regardless, I like your distinction. For our purposes, are these the
definitions?

resource - digital content, all resources are addressable
content - bytes delivered upon accessing a resource. not all content is
addressible.
uri - one way of addressing a resource given the specified production rules.

locator is difficult and relates to my question of when you use a fragment
identifier "#" or even the "|" which application is responsible for defining
and handing the set of bytes to the signed-XML processor?

 >But in general, yes: a web resource that tells you what time it
 >is in Geneva is different from the string "4pm".

Ok,  I'll buy this.

 >... which just goes to show that "the content of a Web resource"
 >is a definite description error, like saying "the arm of the man."
 >Which arm?

I don't buy this. To the question of "which arm" the answer is the arm with
the following fingerprint (hash).
_________________________________________________________
Joseph Reagle Jr.   
Policy Analyst           mailto:reagle@w3.org
XML-Signature Co-Chair   http://w3.org/People/Reagle/
Received on Wednesday, 21 July 1999 13:33:14 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:06 GMT