RE: verifying order of resources in a document

On that last one, I didn't finish the first set of comments due to a
distraction.  Here it is.

<John>
It seems preposterous to say that most applications will not care about the
order of the elements in a conversation about digital signatures.
For starters, it is wrong on a theoretical level.  Like it or not, the XML
1.0 spec does not forbid extensions languages from deriving meaning based on
the order in which the elements appear.  If you want that, use RDF.

Second, it is wrong on a technical level.  A hash itself is sensitive to the
order of the substrings within a given message to be hashed.

Third, it's wrong on a practical level, namely that you have not provided
any evidence of having sampled lots of applications.  For example, the
single largest body of applications based on any kind of markup are HTML
forms, and they care very much about order.  Even with separation of data
and presentation in XHTML forms (should it ever get built or supported), the
presentation must still be signed along with the data (and the manifest
notion in the Brown draft clearly allows for this).  Hence order will matter
in the presentation signature.  Most importantly, there is no sampling from
applications yet to come.  If I can come up with valid, well-formed XML, we
should be able to sign it even if we don't like the markup language design.
Signatures should not break because we don't like this or that part of what
XML allows.

So, given that it isn't actually all that hard to write software that does
the things I'm describing (UWI has been doing it for almost two years now!),
why not see if we can conceive of a signature syntax that does a good job on
any valid, well-formed XML?

John Boyer
Software Development Manager
UWI.Com -- The Internet Forms Company

</John>

Received on Thursday, 29 July 1999 15:50:06 UTC