W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 1999

RE: Omitting Location and Transforms from SignedInfo

From: John Boyer <jboyer@uwi.com>
Date: Wed, 17 Nov 1999 15:29:48 -0800
To: "Jim Schaad (Exchange)" <jimsch@Exchange.Microsoft.com>, "'Solo, David'" <david.solo@citicorp.com>, <marcnarc@xcert.com>, <w3c-ietf-xmldsig@w3.org>
Message-ID: <NDBBLAOMJKOFPMBCHJOICEDOCCAA.jboyer@uwi.com>
RE: Omitting Location and Transforms from SignedInfoAgree 100%.
John Boyer
Software Development Manager
UWI.Com -- The Internet Forms Company


  -----Original Message-----
  From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of Jim Schaad (Exchange)
  Sent: Wednesday, November 17, 1999 3:10 PM
  To: 'Solo, David'; marcnarc@xcert.com; w3c-ietf-xmldsig@w3.org
  Subject: RE: Omitting Location and Transforms from SignedInfo


  I don't like this because I can't possibly know how to implement it.

  How does a program know if something is of the correct form?  How do I
know what transformations have or have not been applied to the object since
the last time I dereferenced it.  (For example that document on the web site
was base64 encoded and now is not.)

  jim



  > -----Original Message-----
  > From: Solo, David [mailto:david.solo@citicorp.com]
  > Sent: Wednesday, November 17, 1999 2:16 PM
  > To: marcnarc@xcert.com; w3c-ietf-xmldsig@w3.org
  > Subject: RE: Omitting Location and Transforms from SignedInfo
  >
  >
  > I think this is sort of what I had in mind when I suggested
  > the definition of
  > (at least some of) the transforms should be "make it x" vs.
  > "do x".  Thus the
  > statement is I signed a canonicalized, decoded instance of
  > this object.  If
  > you've got one, digest it, if not, you need to perform the
  > corresponding
  > transforms.  This would be in contrast to the interpretation
  > of "you must
  > obtain a version and apply each specified transform".
  >
  > Dave
  >
  > > -----Original Message-----
  > > From: marcnarc [mailto:marcnarc@xcert.com]
  > > Sent: Wednesday, November 17, 1999 5:47 PM
  > > To: w3c-ietf-xmldsig
  > > Cc: marcnarc
  > > Subject: Re: Omitting Location and Transforms from SignedInfo
  > >
  > >
  > >
  > > I find your arguments persuasive, so I'm reversing my
  > > position on signed
  > > transforms.
  > >
  > > In your reply to Mack Hicks, you state that "the signature
  > > should be applied
  > > to a format of the document as close as possible to the presentation
  > > format."  I like this idea, and I'm starting to think that
  > > maybe transforms
  > > have been trying to do things backwards (or maybe it's just
  > > my reading of
  > > them that is backwards).
  > >
  > > Instead of saying "do A, B and C to this document before
  > verifying the
  > > signature" perhaps transforms should just indicate the "base
  > > format" that the
  > > document was in when it was signed.
  > >
  > > Admittedly, I'm not exactly sure how this could be done (MIME types,
  > > maybe?).  But it seems to me that the problem with transforms
  > > is that the
  > > signer has to make assumptions about how the verifier will
  > > obtain the signed
  > > content.  Things might be easier if the signer could just
  > > state what format
  > > the content was in when it was signed.
  > >
  > >   Marc
  > >
  > >
  >
Received on Wednesday, 17 November 1999 18:30:49 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:08 GMT