RE: How to sign several resources (XML and XSL)? from dee3@us.ibm.com on 1999-09-23 (w3c-ietf-xmldsig@w3.org from July to September 1999)

From: <dee3@us.ibm.com>
Date: Thu, 23 Sep 1999 13:44:54 -0400
To: DJ <jevans@differential.com>
cc: "W3c-Ietf-Xmldsig (E-mail)" <w3c-ietf-xmldsig@w3.org>, "IETF Trade (E-mail)" <ietf-trade@lists.eListX.com>
Message-ID: <852567F5.00618FCE.00@D51MTA10.pok.ibm.com>
Proof in court depends on all kind of factors, many of which never appear in any
computer readable form.   As long as we provide ways for people to sign digital
objects, they can include under the signatre, directly or indirectly, anything
they want including anything they think might be helpful for later proofs.  If
someone wants to write a draft in the XMLDSIG group on the topic of what you
might want to sign in conjuction with a document for such legal purposes, they
are welcome to do so, but I don't see this as having a lot to do with our task
of defining XML digital signature syntax and processing.  Nor do I see these
questions as having much to do with IOTP where most signatures having nothing to
do with human sensible documents but rather with highly stylized protocol
messages.

Donald

Donald E. Eastlake, 3rd
17 Skyline Drive, Hawthorne, NY 10532 USA
dee3@us.ibm.com   tel: 1-914-784-7913, fax: 1-914-784-3833

home: 65 Shindegan Hill Road, RR#1, Carmel, NY 10512 USA
dee3@torque.pothole.com   tel: 1-914-276-2668



DJ <jevans@differential.com> on 09/23/99 12:21:06 PM

To:   David Burdett <david.burdett@commerceone.com>, "Winchel 'Todd' Vincent,
      III" <winchel@mindspring.com>, Andreas Siglreithmayr
      <andreas.siglreithmayr@ixos.de>, "W3c-Ietf-Xmldsig (E-mail)"
      <w3c-ietf-xmldsig@w3.org>
cc:   "IETF Trade (E-mail)" <ietf-trade@lists.eListX.com>
Subject:  RE: How to sign several resources (XML and XSL)?




But to present legally binding evidence at a future date you may need to
present the signed XML, the presentation (signed XSL) and perhaps even
the application that displayed it (a signed copy of Netscape??? or perhaps
the UWI.com forms browser?)

DJ

At 08:36 PM 9/22/99 -0700, David Burdett wrote:
>... otherwise how do you know the context for the XML data?
>
>You know the context because interpretation of the XML data is being done by
>software from a presumably reliable source to do the interpretation that is
>built according to a specification that describes the semantics of data
>
>... I now feel that we're getting very close to the topic of "trusted"
>applications  and I'm not sure we want to go there ...
>
>David
>
>-----Original Message-----
>From: DJ [mailto:jevans@differential.com]
>Sent: Wednesday, September 22, 1999 3:49 PM
>To: David Burdett; Winchel 'Todd' Vincent, III; Andreas Siglreithmayr;
>W3c-Ietf-Xmldsig (E-mail)
>Cc: IETF Trade (E-mail)
>Subject: RE: How to sign several resources (XML and XSL)?
>
>
>
>UWI.com has an XML implementation that signs the "presentation" (eg. the
>XSL)
>as well as the XML.  In their view, it is critically important to sign
>both, otherwise
>how do you know the context for the XML data?
>
>dj
>
>At 02:45 PM 9/22/99 -0700, David Burdett wrote:
>>Following on from this I'm wondering what people's views are on signing an
>>XML document that is primarily an XML representation of a data structure
>>that is defined in a specification that is widely and publically available.
>>
>>The XML document, in it's native form is readable but not easily
>>understandable. A style sheet would make the document easier to understand
>>but is not required since the semantics of the document are defined in the
>>specification. However could use of a stylesheet then be construed as
>>altering the meaning of the XML document as far as a recipient is
>concerned.
>>
>>I ask since this is what IOTP effectively does, it signs several parts of a
>>data structure (represented in XML) and then creates new data structures
>>from the orginal that are also digitally signed and, using additional
>>"endorsing" signatures, "binds" the new document back to the original.
>>
>>David
>>
>>-----Original Message-----
>>From: Winchel 'Todd' Vincent, III [mailto:winchel@mindspring.com]
>>Sent: Wednesday, September 22, 1999 1:43 AM
>>To: Andreas Siglreithmayr; W3c-Ietf-Xmldsig (E-mail)
>>Subject: Re: How to sign several resources (XML and XSL)?
>>
>>
>>>
>>> I think that if someone signs an XML-document, s/he would also have
>>>to sign the corresponding XSL file.
>>
>>Andreas:
>>
>>Other people on this list hold the very same opinion.  Indeed, as an
>>American lawyer, I believe there are very good legal reasons why *not*
>>signing the stylesheet might just get and XML document thrown out of court
>>if/when it were introduced into evidence.  Such a result would, of course,
>>make the technology much less valuable.
>>
>>Thank you for your input.  I think having someone with a new and fresh
>>perspective helps to shed light on the simplicity and logic of the notion.
>>I wish others would see it so clearly.
>>
>>Todd
>>
>-----------------------------------------------------------------------
>Message addressed to: ietf-trade@lists.elistx.com
>Archive available at: http://www.elistx.com/archives/ietf-trade/
>To (un)subscribe send a message with "subscribe" or "unsubscribe" in the
>body to: ietf-trade-request@lists.elistx.com

-----------------------------------------------------------------------
Message addressed to: ietf-trade@lists.elistx.com
Archive available at: http://www.elistx.com/archives/ietf-trade/
To (un)subscribe send a message with "subscribe" or "unsubscribe" in the
body to: ietf-trade-request@lists.elistx.com
Received on Thursday, 23 September 1999 13:45:59 UTC