- From: Ed Simon <ed.simon@entrust.com>
- Date: Wed, 11 Aug 1999 15:20:51 -0400
- To: "'w3c-ietf-xmldsig@w3.org'" <w3c-ietf-xmldsig@w3.org>
I've got a bit of a brain dump that I would like to leave you with before I
disappear for a couple of days...
I would expect that in many applications, the validity and usefulness of a
digital signature from a LEGAL
perspective will require capturing not only the content of the XML source
but also its presentation to
the user. In many cases, this presentation will be defined by an XSL (or
CSS) stylesheet.
XSL enables the presentation of any part of an XML instance including the
processing instructions and
comments. Offhand, I think it would be highly questionable to put pertinent
legally-binding information
in a processing instruction or comment but we may need to unambiguously
state
the following requirements for application designers who are creating
XML-based applications
that use XML digital signatures:
1. Applications SHOULD NOT include legally-pertinent information in the
processing instructions or
comments of an XML instance.
2. If the legal value of a signed XML document is dependent upon how it was
presented through a
stylesheet, that stylesheet MUST be signed too.
3. If the canonical form of an XML instance is being signed, the XSL
stylesheet associated with that
instance MUST NOT include matches on processing instructions or comments.
(Doing so could cause
the user to agree to information that is not being signed.)
Under the current canonicalization proposal, processing instructions
disappear. Because the W3C
Recommendation for linking a stylesheet with an XML document
("http://www.w3.org/TR/xml-stylesheet/")
uses processing instructions, the canonical form of such a document will not
include the stylesheet
linking information. I would recommend that the canonicalization process
preserve the style-sheet linking
processing instruction(s).
Comments anyone, especially those of you with a legal background?
Regards, Ed
Received on Wednesday, 11 August 1999 15:21:59 UTC