W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 1999

RE: importing terminology in "XML-Signature Requirements"

From: Richard D. Brown <rdbrown@Globeset.com>
Date: Wed, 28 Jul 1999 18:45:03 -0500
To: "'Richard Himes'" <rhimes@nmcourt.fed.us>
Cc: <w3c-ietf-xmldsig@w3.org>
Message-ID: <005701bed953$3731b4f0$0bc0010a@artemis.globeset.com>
Richard,

>
> I don't know what you mean by the general problem, Richard.
> Would the "general"
> solution be intractable or would it be a significant
> diversion?  Or would it be
> cleaner?

Unfortunately, I cannot answer this question. The current solution is
obviously outside the scope of XMLDSIG specification and very much
application-specific, though this "XML packaging" practice could be
sometimes standardized (very similar in functionality to S/MIME).

> I was wondering if it would be reasonable to use an
> internal link, and
> describe the situation in the manifest (i.e. the hash is on
> the unencoded
> content of the thing pointed to by the locator) rather than
> using a common
> origin/href value.
>

I am afraid that this approach might be a bit too much specific. In fact, I
start to doubt about the actual benefit of hashing the unencoded content. In
final, you sign the canonical representation of the Manifest and not the
hash. Therefore, in order to sustain a claim, you will have to
establish/demonstrate/prove the construction of the signature WRT to the
original document, the signer key/credential, and the cryptograpic
algorithms. Adding one step in the demonstration is not necessarily the/a
problem (thoughts...)

Cheers,

Richard D. Brown
Received on Wednesday, 28 July 1999 19:45:11 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:07 GMT