- From: Ed Simon <ed.simon@entrust.com>
- Date: Thu, 23 Sep 1999 13:37:50 -0400
- To: "'rhimes@nmcourt.fed.us'" <rhimes@nmcourt.fed.us>, miltonma@gte.net, david.burdett@commerceone.com, jevans@differential.com, winchel@mindspring.com, andreas.siglreithmayr@ixos.de, w3c-ietf-xmldsig@w3.org
- Cc: ietf-trade@lists.eListX.com
Just as signing an entity like "&bank;" may not be sufficient when the user actually sees "Bank of Bells Corners", signing a link to stylesheet may also be insufficient. Though an XML instance can specify one or more stylesheets (using the Recommendation Rich links to), that does not mean applications will actually use one of those stylesheets when formatting the data for a user. For example, it is predicted that PCs will make up less than half of the devices connect to the Internet by 2002 (others would include handheld devices like PalmPilots and cell-phones (with mini screens like those on modern video cameras). To accomodate the wide range of output devices, vendors are looking at dynamically selecting the stylesheet based on the output device. So, if you want to trade stocks using a cell-phone's mini screen, the stock-trade-to-cell-phone stylsheet would be used. An application may then want to sign that stylesheet used for that transaction rather than one of the ones specified in the XML instance. Anyway, I like the way Rich makes the point about the "level of trust" being up to the application. The XML Signature spec may make it possible to sign things beyond the core data but doesn't require one do so. Applications should sign whatever they believe is necessary. For legally-binding signatures, guiding principles might be "beyond a reasonable doubt" or "on the balance of probabilities". Ed -----Original Message----- From: rhimes@nmcourt.fed.us [mailto:rhimes@nmcourt.fed.us] Sent: September 23, 1999 12:42 PM To: miltonma@gte.net; david.burdett@commerceone.com; jevans@differential.com; winchel@mindspring.com; andreas.siglreithmayr@ixos.de; w3c-ietf-xmldsig@w3.org Cc: ietf-trade@lists.eListX.com Subject: Re[2]: How to sign several resources (XML and XSL)? XSL is an XML format, so we haven't excluded signature of XSL, have we? Also, I'm aware of the W3C recommendation at http://www.w3.org/TR/xml-stylesheet/ that ties a stylesheet to an XML document. However, a processing instruction is used for this purpose, and we have proposed elimination of PI from our c14n. I believe this needs to be revisited. Applications will definitely want the option to locate and sign an associated stylesheet. IMO, It is not for us to judge whether or not this makes sense to the application just because our committee(s) can't guarantee a trusted browser. The level of trust required is up to the application (they may restrict their application to specific signed and trusted browsers, they may certify their application for specific common browsers, etc.) Rich ____________________Reply Separator____________________ Subject: Re: How to sign several resources (XML and XSL)? Author: "Milton M. Anderson" <miltonma@gte.net> Date: 9/23/99 7:44 AM -----Original Message----- From: David Burdett <david.burdett@commerceone.com> Date: Wednesday, September 22, 1999 11:39 PM Subject: RE: How to sign several resources (XML and XSL)? >... otherwise how do you know the context for the XML data? > >You know the context because interpretation of the XML data is being done by >software from a presumably reliable source to do the interpretation that is >built according to a specification that describes the semantics of data > >... I now feel that we're getting very close to the topic of "trusted" >applications and I'm not sure we want to go there ... Even if XSL is signed, you still have to assume a "trusted" browser. It's impossible not to go there... Milt
Received on Thursday, 23 September 1999 13:38:01 UTC