W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 1999

Re: Omitting Location and Transforms from SignedInfo

From: Marc Branchaud <marcnarc@xcert.com>
Date: Wed, 17 Nov 1999 17:20:17 -0800
Message-ID: <38335451.123FE57D@xcert.com>
To: w3c-ietf-xmldsig@w3.org

This is what I was getting at when I said I wasn't sure how it could be done.

But these questions you raise aren't solved by a list of transforms, signed
or not.  You basically never know if something is in the correct form until
you try to use it.

In some ways, it's a bit strange to have an XML signature library deal with
all these transformation issues.  After all, the signed content itself wasn't
transformed by any application of an XML signature [*].  Rather, the content
got mutated by some other agent after a signature was created.  The best a
signature-verifying library can do is tell its application that it needs the
signed-form of the content, and hope that the app knows how to get it.

At least an application has more context to play with than a library.  Making
the library faithfully apply a list of transformations isn't going to solve
this issue.

[*] I suppose I should be clear here that I'm talking about transforms in
Mark Bartel's second sense (i.e. "To assist in retrieving the document in the
appropriate form"), not some use of XSLT/XPath to pick out parts of an XML
document for signing.  I think Mark's distinction is a good one.

		Marc


> "Jim Schaad (Exchange)" wrote:
> 
> I don't like this because I can't possibly know how to implement it.
> 
> How does a program know if something is of the correct form?  How do I know
> what transformations have or have not been applied to the object since the
> last time I dereferenced it.  (For example that document on the web site
> was base64 encoded and now is not.)
> 
> jim
>
Received on Wednesday, 17 November 1999 19:10:13 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:08 GMT