Re: ObjectReference shouldn't be signed, was RE: Location shouldn't be signed! from Joseph M. Reagle Jr. on 1999-11-03 (w3c-ietf-xmldsig@w3.org from October to December 1999)

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Wed, 03 Nov 1999 14:37:52 -0500
To: "John Boyer" <jboyer@uwi.com>, Andreas Schmidt <aschmidt@darmstadt.gmd.de>
Cc: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>, Reiner Hüttl <reiner.huettl@munich.ixos.de>, "Robert Frost" <robert.frost@munich.ixos.de>
Message-Id: <3.0.5.32.19991103143752.00a20700@localhost>

At 13:07 99/10/28 -0700, John Boyer wrote:
 >I just wanted to briefly comment on this.  The problem addressed in
Andreas'
 >email is what happens when an externally validated resource moves from one
 >location to another. 

I just wanted to address this point in a round about way. In order to be
rigorous in our semantics I think of what we are doing in terms of
assertions. I suspect people are going to buy themselves a lot of trouble
for things like URIs, HTTP, mirroring and caching if they don't do the same.
I tried to tease out some of the assertions back in August [1], but wanted
to restate what I think an ObjectReference states with my present
understanding [2]. Object Reference includes 3 assertions: 

        1. Each Resource has a Location of "URI"
        2. and each Resource has Transformations performed over the 
            dereferenced URI content.
        3. and each Resource has an associated DigestValue resulting
            a digest value being applied to the dereferenced URI content.

It seems you might be saying that there is some content (byte stream) that
has one or more URIs. This is a different way of looking at the problem and
I can see this point of view, and to that end I think our term "Location" is
a misnomer since it references a URI, not necessarily a URL. If people
wanted to associated a resource with a URN and the means of dereferencing
that URN to derive the content is defined elsewhere, fine. If they want to
associate some sort of remapping, or query/resolution with a URL to do the
same, fine. 

I think Andreas's point was that there are four meta-assertions (that might
incude others) we could make, and should we provide the syntax to express
them.

I'd opt for one:

 >1) Use Don's proposal indirectly by pushing these problems off to
 >application processing rules.

It is not _our_ job to redefine or reinvent URI, URN, or URLs or ways of
doing indirection/redirection over them. Maybe my take on this is wrong, and
if so I would ask what exactly is the set of assertions associated with the
other proposal? 

[1] http://www.w3.org/Signature/Drafts/xmldsig-datamodel-19990819.gif
[2] http://www.w3.org/Signature/Drafts/xmldsig-datamodel-19991029.gif
[3]
[4] 

_________________________________________________________
Joseph Reagle Jr.   
Policy Analyst           mailto:reagle@w3.org
XML-Signature Co-Chair   http://www.w3.org/People/Reagle/

Received on Wednesday, 3 November 1999 14:44:29 UTC