W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 1999

RE: Omitting Location and Transforms from SignedInfo

From: Jim Schaad (Exchange) <jimsch@Exchange.Microsoft.com>
Date: Wed, 17 Nov 1999 16:16:51 -0800
Message-ID: <EAB5B8B61A04684198FF1D0C1B3ACD194A712B@dino.dns.microsoft.com>
To: "'John Boyer'" <jboyer@uwi.com>
Cc: DSig Group <w3c-ietf-xmldsig@w3.org>


> -----Original Message-----
> From: John Boyer [mailto:jboyer@uwi.com]
> Sent: Wednesday, November 17, 1999 3:58 PM
> To: Jim Schaad (Exchange)
> Cc: DSig Group
> Subject: RE: Omitting Location and Transforms from SignedInfo
> 
> 
> 
> That is not at all what I am proposing.  I think it is just 
> fine to sign
> something that is not a manifest and is not in the current 
> document.  What I
> am stating is that if the application does not want the 
> behavior that we
> automatically go and try to verify what is being signed, then 
> it goes in a
> manifest.  If you want to have the core code automatically 
> very what is
> being signed, it can be in the SignerInfo object.  The 
> locality of the data
> is unimportant.
> 
> <John>
> Oh, I thought I'd already said why that wasn't such a hot idea.
> 
> 1) We want core code to automatically verify the DigestValue of
> ObjectReference because this is equivalent to verifying the 
> bulk of the data
> that the signer actually wanted to sign.

I don't know that I agree with this statement, but it's not that important.
Verifying that a manifest is correct does not validate any large amount of
data.

> 
> 2) The core rules automatically verify DigestValue of 
> ObjectReference if and
> only if Location is invariant once the signature is created. 
> If the Location
> of a piece of data is expected to change, then our core 
> processing rules
> cannot accommodate the signature.  This has nothing to do 
> with some weird
> application-specific need that only a handful of people have. 
>  Locations
> change, auxiliary documents get updated.  If someone wants to 
> preserve a
> signature, they may need to change a Location here or there.  
> This is likely
> to be a commonplace event with long-term signatures on 
> high-value documents.

I disagree with this statement.  I believe that the if and only if statement
is wrong, and everything following from that is therefore also incorrect.

> 
> The point is that yes, they could push this off to a 
> Manifest, but manifests
> rely on application-specific behavior to validate. What we're 
> saying is that
> a certain class of signatures cannot be validated by core 
> code for reasons
> that don't seem to have anything to do with the needs of the 
> application.
> 
> It would be much cleaner to design a syntax that, by its 
> design, does not
> have us chasing things down outside of the current document.  
> I expect it
> will also be somewhat common to have signatures that point to 
> things outside
> of the document, and such signatures will need application 
> logic to validate
> the signature.  But, at least the need for application validation has
> *something* to do with a direct need of the application-- 
> esp. given that
> such a need may already depend on application specific 
> caching systems,
> resource resolution schemes and so forth.
> 
> John Boyer
> Software Development Manager
> UWI.Com -- The Internet Forms Company
> 
> </John>
> 
> jim
> 
Received on Wednesday, 17 November 1999 19:17:21 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:08 GMT