W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 1999

RE: Omitting Location and Transforms from SignedInfo

From: John Boyer <jboyer@uwi.com>
Date: Wed, 17 Nov 1999 14:57:21 -0800
To: "Peter Lipp" <Peter.Lipp@iaik.at>, "Marc Branchaud" <marcnarc@xcert.com>, "DSig Group" <w3c-ietf-xmldsig@w3.org>
Message-ID: <NDBBLAOMJKOFPMBCHJOIEEDLCCAA.jboyer@uwi.com>
It can't be just hint as long as our core signature validation rules state
that the DigestValue of an ObjectReference in SignedInfo must be validated.
Furthermore, we must have signatures that validate the DigestValue of an
ObjectReference because this is the actual data that the signer wanted to
sign.  Yes, we need to sign certain parts of SignedInfo for security
reasons, but this whole two step is irrelevant to the signer.  They want to
sign the bucket of bytes indicated by ObjectReference, and if core behavior
does not sign that bucket of bytes, then core behavior does not perform
digital signatures as they are defined in our industry.

John Boyer
Software Development Manager
UWI.Com -- The Internet Forms Company


-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of Peter Lipp
Sent: Wednesday, November 17, 1999 12:59 PM
To: Marc Branchaud; DSig Group
Subject: AW: Omitting Location and Transforms from SignedInfo


> I _really_ think the last option is the right direction:
I agree. I strongly believe that the location is a hint at most, will rarely
be necessary (still waiting for objections here folks :-) and if the
location is kind of an "authenticated attribute" then it really belongs to
the data being signed.

Peter
Received on Wednesday, 17 November 1999 17:58:42 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:08 GMT