W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 1999

RE: Omitting Location and Transforms from SignedInfo

From: Jim Schaad (Exchange) <jimsch@Exchange.Microsoft.com>
Date: Wed, 17 Nov 1999 15:09:37 -0800
Message-ID: <EAB5B8B61A04684198FF1D0C1B3ACD194A7127@dino.dns.microsoft.com>
To: "'Solo, David'" <david.solo@citicorp.com>, marcnarc@xcert.com, w3c-ietf-xmldsig@w3.org
I don't like this because I can't possibly know how to implement it.

How does a program know if something is of the correct form?  How do I know
what transformations have or have not been applied to the object since the
last time I dereferenced it.  (For example that document on the web site was
base64 encoded and now is not.)

jim


> -----Original Message-----
> From: Solo, David [mailto:david.solo@citicorp.com]
> Sent: Wednesday, November 17, 1999 2:16 PM
> To: marcnarc@xcert.com; w3c-ietf-xmldsig@w3.org
> Subject: RE: Omitting Location and Transforms from SignedInfo
> 
> 
> I think this is sort of what I had in mind when I suggested 
> the definition of 
> (at least some of) the transforms should be "make it x" vs. 
> "do x".  Thus the 
> statement is I signed a canonicalized, decoded instance of 
> this object.  If 
> you've got one, digest it, if not, you need to perform the 
> corresponding 
> transforms.  This would be in contrast to the interpretation 
> of "you must 
> obtain a version and apply each specified transform".
> 
> Dave
> 
> > -----Original Message-----
> > From: marcnarc [mailto:marcnarc@xcert.com]
> > Sent: Wednesday, November 17, 1999 5:47 PM
> > To: w3c-ietf-xmldsig
> > Cc: marcnarc
> > Subject: Re: Omitting Location and Transforms from SignedInfo
> > 
> > 
> > 
> > I find your arguments persuasive, so I'm reversing my 
> > position on signed
> > transforms.
> > 
> > In your reply to Mack Hicks, you state that "the signature 
> > should be applied
> > to a format of the document as close as possible to the presentation
> > format."  I like this idea, and I'm starting to think that 
> > maybe transforms
> > have been trying to do things backwards (or maybe it's just 
> > my reading of
> > them that is backwards).
> > 
> > Instead of saying "do A, B and C to this document before 
> verifying the
> > signature" perhaps transforms should just indicate the "base 
> > format" that the
> > document was in when it was signed.
> > 
> > Admittedly, I'm not exactly sure how this could be done (MIME types,
> > maybe?).  But it seems to me that the problem with transforms 
> > is that the
> > signer has to make assumptions about how the verifier will 
> > obtain the signed
> > content.  Things might be easier if the signer could just 
> > state what format
> > the content was in when it was signed.
> > 
> >   Marc
> > 
> > 
> 
Received on Wednesday, 17 November 1999 18:09:40 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:08 GMT