W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 1999

RE: draft resulting from 990930 call

From: <david.solo@citicorp.com>
Date: Tue, 5 Oct 1999 09:13:59 -0400
Message-Id: <H0000cc404665cd4@MHS>
TO: aschmidt@darmstadt.gmd.de, w3c-ietf-xmldsig@w3.org
Yes.  The current consensus is that at the top level, the ObjectReferences in 
SignedInfo, core processing includes validating the digest.  One motivation, 
among others, was that a core signature operation whose behavior does not 
include verifying that the item referenced is the item signed would be 
deficient at best.  

In building an application, you can have the ObjectReference point to a 
Manifest (or other document of your definition, such as a TTP request/response) 
which contains references to other objects.  In this case, the core behavior 
would validate the digest on the Manifest, but not the referenced objects.

Dave

> -----Original Message-----
> From: aschmidt [mailto:aschmidt@darmstadt.gmd.de]
> Sent: Tuesday, October 05, 1999 4:59 AM
> To: w3c-ietf-xmldsig
> Cc: aschmidt
> Subject: Re:draft resulting from 990930 call
> 
> 
> 
> > 8.2 Signature Validation 
>  
> >  2.calculate digest over all transformed signed 
> >    object(s) based on the algorithm in Object reference(s).
> >    If the object is contained within the Object 
> >    element, only the object itself is hashed (i.e. the 
> <Object>               
> >    and </Object > tags are excluded). 
> >  3.compare value against digest value in SignedInfo
> >    (if mismatch, validation fails). 
> 
> Is it consensus now that checking the digest is core signature
> behaviour?
> If yes, why? There seemed to be reasons for allowing dsig applications
> to
> check signatures without checking integrity of the Objects - e.g. a
> scenario
> where a trusted third party can wittness the validity of signatures
> without 
> knowing the signed content.
> 
> AUS
> --------------------------------------------------------------------
> Dr. Andreas U. Schmidt, Dept. SIT | mailto:aschmidt@darmstadt.gmd.de
> GMD German National Research      | phone :+49-6151-869-712       
> Center for Information Technology | fax   :+49-6151-869-704
> --------------------------------------------------------------------
> 


Received on Tuesday, 5 October 1999 09:15:31 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:08 GMT