W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 1999

Location shouldn't be signed!

From: Andreas Siglreithmayr <andreas.siglreithmayr@ixos.de>
Date: Thu, 28 Oct 1999 10:27:37 +0200
Message-ID: <9F077EBC72BFD211AEF90060080F37366C79FB@muc-mail4.ixos.de>
To: "W3c-Ietf-Xmldsig (E-mail)" <w3c-ietf-xmldsig@w3.org>
Cc: "'Joseph M. Reagle Jr.'" <reagle@w3.org>, "'Donald E. Eastlake 3rd'" <dee3@torque.pothole.com>, "'dee3@us.ibm.com'" <dee3@us.ibm.com>, Reiner Hüttl <reiner.huettl@munich.ixos.de>, Robert Frost <robert.frost@munich.ixos.de>
I wrote several weeks ago (  How to sign several resources (XML and XSL)? ).

	First a question to Donald Eastlake and Joseph Reagle:

	IXOS wants to participate actively in the XMLDsig Working Group.

	How can someone of IXOS become a member of the working group?

	Please reply to reiner.huettl@ixos.de and robert.frost@ixos.de.


Now my suggestion:

In the draft Section 6.0 is described, how to generate a signature.

It says, that the signature is calculated over SignedInfo.

Signed Info includes the information about the locations of the  data to be
signed.

I think this isn't practically usefull, because the location in the web or
on a server of a  DTD or a stylesheet, which are signed could change.

If someone wants to change the position of signed data, all XML signatures,
which references to this position have to be recalculated otherwise it
couldn't be  verified.

One solution would be a package, of course. But think about someone who
signs several pictures.
The person have to embed the data of the pics in the xml document.
That would make the xml huge.

The easiest solution would be not to sign the location.

Another solution made by a colleague of me would be to allow a reference to
point to a reference, that points to the position of the proper data.
I think about something like the following:

<Signature>
	<SignedInfo>
		(CanonicaliziationMethod)
		(SignatureMethod)
		<ObjectReference Id=? Location="#reference1" Type=reference
>
			(Transforms)
			(DigestMethod)
			(DigestValue)
		</ObjectReference>
		....
	<SignedInfo>
	(SignatureValue)
	(KeyInfo)
	(Object)
	...
	<Reference Id = "reference1" Location=? Type=? />
	...
</Signature>






			


> -----------------------------------------------------------
> Andreas Siglreithmayr
> Intern
> Innovation
> 
> iXOS Software AG
> Technopark Neukeferloh
> Bretonischer Ring 12
> D-85630 Grasbrunn/München
> NEW TELEPHONE NUMBERS!!
> Phone: (+49)-(89)-4629-1136
> Fax: (+49)-(89)-4629-331136
> World Wide Web: http://www.ixos.com/deutschland
> E-Mail: andreas.siglreithmayr@ixos.de
> 
> 
> 
Received on Thursday, 28 October 1999 04:26:59 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:08 GMT