W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 1999

Re: How to sign several resources (XML and XSL)?

From: Milton M. Anderson <miltonma@gte.net>
Date: Thu, 23 Sep 1999 00:08:05 -0400
Message-ID: <013801bf057c$89d22f00$7bf5fed0@hkyxztrz>
To: "W3c-Ietf-Xmldsig (E-mail)" <w3c-ietf-xmldsig@w3.org>
For server-to-server applications it is also true that the document
closure issue can be addressed by the application's business rules.
The business rules can define that a valid document must contain
specific elements, and that the validity of the document is not affected
by any other elements outside of those which are signed and required
to be present at the workflow processing node under consideration.

Furthermore, I'm opposed to imbuing signatures with a generic "meaning"
stronger than --
Verify (message, publicKey) = True|False.
i.e. the signature verification algorithm was provided with the
indicated message bit string and the public key, and
either the signature algorithm ran properly to completion and produced
a True value, or it produced a False value or didn't complete.

Any other discussion of "meaning" should be left to the applications
that use signatures.

Perhaps we need a separate, simpler XML signature mechanism for
server-to-server applications?

Milt


-----Original Message-----
From: Greg Whitehead <gwhitehead@signio.com>
To: 'DJ' <jevans@differential.com>; David Burdett
<david.burdett@commerceone.com>; Winchel 'Todd' Vincent, III
<winchel@mindspring.com>; Andreas Siglreithmayr
<andreas.siglreithmayr@ixos.de>; W3c-Ietf-Xmldsig (E-mail)
<w3c-ietf-xmldsig@w3.org>
Cc: IETF Trade (E-mail) <ietf-trade@lists.eListX.com>
Date: Wednesday, September 22, 1999 7:15 PM
Subject: RE: How to sign several resources (XML and XSL)?


>Where XML is being used in the context of a wire protocol, and there is no
>XSL style sheet used in the interpretation of the messages by the protocol
>engine, it shouldn't be necessary to include any XSL in the signature.
>
>In general, you need to look at the context in which signed data is being
>interpreted and be sure that all of the elements critical to the
>interpretation can be trusted (were signed or obtained securely from some
>trusted source).
>
>-Greg
>
>-----Original Message-----
>From: DJ [mailto:jevans@differential.com]
>Sent: Wednesday, September 22, 1999 3:49 PM
>To: David Burdett; Winchel 'Todd' Vincent, III; Andreas Siglreithmayr;
>W3c-Ietf-Xmldsig (E-mail)
>Cc: IETF Trade (E-mail)
>Subject: RE: How to sign several resources (XML and XSL)?
>
>
>
>UWI.com has an XML implementation that signs the "presentation" (eg. the
>XSL)
>as well as the XML.  In their view, it is critically important to sign
>both, otherwise
>how do you know the context for the XML data?
>
>dj
>
>At 02:45 PM 9/22/99 -0700, David Burdett wrote:
>>Following on from this I'm wondering what people's views are on signing an
>>XML document that is primarily an XML representation of a data structure
>>that is defined in a specification that is widely and publically
available.
>>
>>The XML document, in it's native form is readable but not easily
>>understandable. A style sheet would make the document easier to understand
>>but is not required since the semantics of the document are defined in the
>>specification. However could use of a stylesheet then be construed as
>>altering the meaning of the XML document as far as a recipient is
>concerned.
>>
>>I ask since this is what IOTP effectively does, it signs several parts of
a
>>data structure (represented in XML) and then creates new data structures
>>from the orginal that are also digitally signed and, using additional
>>"endorsing" signatures, "binds" the new document back to the original.
>>
>>David
>>
>>-----Original Message-----
>>From: Winchel 'Todd' Vincent, III [mailto:winchel@mindspring.com]
>>Sent: Wednesday, September 22, 1999 1:43 AM
>>To: Andreas Siglreithmayr; W3c-Ietf-Xmldsig (E-mail)
>>Subject: Re: How to sign several resources (XML and XSL)?
>>
>>
>>>
>>> I think that if someone signs an XML-document, s/he would also have
>>>to sign the corresponding XSL file.
>>
>>Andreas:
>>
>>Other people on this list hold the very same opinion.  Indeed, as an
>>American lawyer, I believe there are very good legal reasons why *not*
>>signing the stylesheet might just get and XML document thrown out of court
>>if/when it were introduced into evidence.  Such a result would, of course,
>>make the technology much less valuable.
>>
>>Thank you for your input.  I think having someone with a new and fresh
>>perspective helps to shed light on the simplicity and logic of the notion.
>>I wish others would see it so clearly.
>>
>>Todd
>>
>
>-----------------------------------------------------------------------
>Message addressed to: ietf-trade@lists.elistx.com
>Archive available at: http://www.elistx.com/archives/ietf-trade/
>To (un)subscribe send a message with "subscribe" or "unsubscribe" in the
>body to: ietf-trade-request@lists.elistx.com
>-----------------------------------------------------------------------
>Message addressed to: ietf-trade@lists.elistx.com
>Archive available at: http://www.elistx.com/archives/ietf-trade/
>To (un)subscribe send a message with "subscribe" or "unsubscribe" in the
>body to: ietf-trade-request@lists.elistx.com
Received on Thursday, 23 September 1999 00:27:44 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:07 GMT