> > So the XML Package includes the encoding algorithm and source > locator, as > well as the encoded form, which encapsulated the PDF file. > Now what does the > actual signature manifest locator point to: the package or > the source? If > the source then it might not know to look in the package; if > the package, it > should sign the package. Part of the issue here is to what > degree does the > URI speak of the location and/or encoding? The Manifest point to the source. The application expects (this was an application level issue) a Package element with the same resource locator. Recall that the XMLDSIG specification does not cover verification of the resources pointed by the Manifest. This is left to the application layer. > > ------- > _XML Package (ID=package) > : encoding algorithim > : resource locator > ____ > _Encoding form > _______ > _PDF File (ID=source) > > I think my preferred solution would be a statement about a > statement: (I > sign (I am the package/encoded form of (I am a contractual > statement))) ... ? > In this case, you still sign the encoded version of the document, not the original content. Sincerely, Richard D. BrownReceived on Wednesday, 21 July 1999 14:54:43 GMT
This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:07 GMT