W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 1999

RE: draft resulting from 990930 call

From: John Boyer <jboyer@uwi.com>
Date: Tue, 5 Oct 1999 09:16:31 -0700
To: "Andreas Schmidt" <aschmidt@darmstadt.gmd.de>, "XML-DSig mailing list" <w3c-ietf-xmldsig@w3.org>
Message-ID: <NDBBLAOMJKOFPMBCHJOIOEHPCBAA.jboyer@uwi.com>
Is it consensus now that checking the digest is core signature
behaviour?
If yes, why? There seemed to be reasons for allowing dsig applications
to
check signatures without checking integrity of the Objects - e.g. a
scenario
where a trusted third party can wittness the validity of signatures
without
knowing the signed content.

<John>
The consensus was to check the digest of the objects indicated by
signedobjectref.

We perceived 'manifest' as just another object whose digest should be
validated by core signature behavior.  The manifest idea could then
implement the feature you are interested in.  Create a 'manifest' element
listing the resources and their hashes.  A signature would hash the manifest
and digitally sign the hash.  Verification would validate the integrity of
the manifest element.  It would then be the app's responsibility to validate
or not validate the hashes it contains.

The idea is that we need both methods.  Obviously you understand the need
for the manifest method.  However, if we just had a method that validated
manifests, then we could not say that core signature behavior was capable of
validating the actual data that most people want to sign.

John Boyer
Software Development Manager
UWI.Com -- The Internet Forms Company

</John>
Received on Tuesday, 5 October 1999 12:15:52 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:08 GMT