[Moderator Action] RE: How to sign several resources (XML and XSL)? from by way of on 1999-09-23 (w3c-ietf-xmldsig@w3.org from July to September 1999)

From: by way of <jevans@differential.com>
Date: Wed, 22 Sep 1999 20:38:27 -0400
To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Cc: DJ <jevans@differential.com>
Message-Id: <3.0.5.32.19990922203827.0093b770@localhost>

[DJ: You are not subscribed to this list, consequently emails will be
bounced. Information on how to subscribe can be found at
http://www.w3.org/Signature]


UWI.com has an XML implementation that signs the "presentation" (eg. the XSL)
as well as the XML.  In their view, it is critically important to sign
both, otherwise
how do you know the context for the XML data?  

dj

At 02:45 PM 9/22/99 -0700, David Burdett wrote:
>Following on from this I'm wondering what people's views are on signing an
>XML document that is primarily an XML representation of a data structure
>that is defined in a specification that is widely and publically available.
>
>The XML document, in it's native form is readable but not easily
>understandable. A style sheet would make the document easier to understand
>but is not required since the semantics of the document are defined in the
>specification. However could use of a stylesheet then be construed as
>altering the meaning of the XML document as far as a recipient is concerned.
>
>I ask since this is what IOTP effectively does, it signs several parts of a
>data structure (represented in XML) and then creates new data structures
>from the orginal that are also digitally signed and, using additional
>"endorsing" signatures, "binds" the new document back to the original.
>
>David
>
>-----Original Message-----
>From: Winchel 'Todd' Vincent, III [mailto:winchel@mindspring.com]
>Sent: Wednesday, September 22, 1999 1:43 AM
>To: Andreas Siglreithmayr; W3c-Ietf-Xmldsig (E-mail)
>Subject: Re: How to sign several resources (XML and XSL)?
>
>
>>
>> I think that if someone signs an XML-document, s/he would also have
>>to sign the corresponding XSL file.
>
>Andreas:
>
>Other people on this list hold the very same opinion.  Indeed, as an
>American lawyer, I believe there are very good legal reasons why *not*
>signing the stylesheet might just get and XML document thrown out of court
>if/when it were introduced into evidence.  Such a result would, of course,
>make the technology much less valuable.
>
>Thank you for your input.  I think having someone with a new and fresh
>perspective helps to shed light on the simplicity and logic of the notion.
>I wish others would see it so clearly.
>
>Todd
>

Received on Wednesday, 22 September 1999 20:39:11 UTC