W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 1999

RE: importing terminology in "XML-Signature Requirements"

From: Richard D. Brown <rdbrown@Globeset.com>
Date: Wed, 21 Jul 1999 13:54:18 -0500
To: "'Joseph M. Reagle Jr.'" <reagle@w3.org>
Cc: "'Dan Connolly'" <connolly@w3.org>, "'IETF/W3C XML-DSig WG'" <w3c-ietf-xmldsig@w3.org>
Message-ID: <009801bed3aa$706c0120$0bc0010a@artemis.globeset.com>
>
> So the XML Package includes the encoding algorithm and source
> locator, as
> well as the encoded form, which encapsulated the PDF file.
> Now what does the
> actual signature manifest locator point to: the package or
> the source? If
> the source then it might not know to look in the package; if
> the package, it
> should sign the package. Part of the issue here is to what
> degree does the
> URI speak of the location and/or encoding?

The Manifest point to the source. The application expects (this was an
application level issue) a Package element with the same resource locator.
Recall that the XMLDSIG specification does not cover verification of the
resources pointed by the Manifest. This is left to the application layer.

>
> -------
> _XML Package (ID=package)
>         : encoding algorithim
>         : resource locator
>         ____
>         _Encoding form
>                 _______
>                 _PDF File (ID=source)
>
> I think my preferred solution would be a statement about a
> statement: (I
> sign (I am the package/encoded form of (I am a contractual
> statement))) ... ?
>

In this case, you still sign the encoded version of the document, not the
original content.

Sincerely,

Richard D. Brown
Received on Wednesday, 21 July 1999 14:54:43 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:07 GMT