W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 1999

RE: Locations but not Transforms as hints (was RE: The XML-DSig N on-standard, or Location/Transforms as 'hints')

From: John Boyer <jboyer@uwi.com>
Date: Wed, 24 Nov 1999 13:05:58 -0800
To: "Mark Bartel" <mbartel@thistle.ca>, <w3c-ietf-xmldsig@w3.org>
Hi Mark,

Comments below...

-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of Mark Bartel
Sent: Wednesday, November 24, 1999 11:32 AM
To: 'John Boyer '; 'w3c-ietf-xmldsig@w3.org '
Subject: RE: Locations but not Transforms as hints (was RE: The XML-DSig
N on-standard, or Location/Transforms as 'hints')

My thoughts on each:

1. Core behaviour should be free of application-specific behaviour.

I agree with this in theory. My point was that there are other issues in the
core that are also application specific, such as how the application gets
the appropriate key material.

Appropriate key material is obtained from KeyInfo. I realize that more
non-core work must be done to associate the key with the signer (e.g. by
doing a certificate chain dance), but that is done in accordance with a PKI
policy, not a specific application.  Furthermore, it can be done either
before or after-- not during-- the operation of core behavior.

I don't see location-as-hint as posing a noticeable interoperability problem
or implementation burden.  Applications that do funky things will of course
not interoperate, but that is a given.
Location-as-hint significantly simplifies some particular scenarios, and I
think that in this case it is worth the slight amount of effort required to
do it.  However, assertions-about-assertions could be used to the same
effect; they are merely more complicated.

As I've explained often in the past, creating some fix for Location does not
solve the whole problem.  You still have to optionally omit a base 64 decode
AND an Xpath transform with the value child::text() in order to be able to
move a signed resource from within a document to without.
Location as hint makes Location an application-specific behavior as a way of
hacking around the problem of wanting to omit the location from SignedInfo.
The real problem is much bigger, so until your proposal talks about solving
the whole problem, why are we debating over its merits?  But since I'm in a
debating mood, let's consider a location such as
URI="http://www.somecompany.com//somedocument.txt".  Isn't it at least
slightly bothersome that core behavior can't go and dig up this resource?
Isn't it at least slightly bothersome that core behavior has to have an
application callback setup to resolve this?  Isn't it at least slightly
bothersome that we have no idea what additional information that callback
will need (dates, people, originating organizations, etc.)?
Wouldn't it be a lot simpler if we either
A) gave the ability to precisely define what should be omitted from
SignedInfo using an Xpath transform
B) recognize that we view Location resolution (and any incumbent change of
transforms) as application-specific and move the whole problem out to the

In fact, it is already possible to solve this problem using a manifest, as
will be explained in another email.

2. The signer of the document, not the verifier, determines what is
important to be signed.

I disagree with this.  I think both the signer and the verifier do this
determination.  It depends on the nature of the interaction.  I submit the
following points:

a) The signer cares that *sufficient* information is signed.
b) The verifier only cares that the information relevant to it is signed.
c) If the verifier chooses to ignore signed information, that doesn't change
the assertion that the signer made.
d) If the signer is making an assertion intended to have legal force (which
will frequently not be the case), they will be concerned that information
that they are *not* asserting is *not* signed.

If location is signed, the document is moved, and the verifier doesn't care,
that doesn't change the assertion that the signer made.  This is points a),
b), and c).

And since it doesn't particularly matter where the bits come from, I would
say that we should specify the signed location to mean that "this is where
the resource was when I signed it" and nothing more.  Therefore d) would not
be an issue.  I don't think it is reasonable for the assertion to be "this
is where the resource will be for all time".  If the verifying application
requires that the resource be at the original location, it can do that check
itself.  It seems to me that this is a lot like requiring an original of a
contract rather than a photocopy; it is the recipient for which this
matters.  Sometime an organization will accept a copy, sometimes it won't.

<John>My differing position on this should be evident from the comments

3. Location-as-hint is a "brutal hack" that changes the meaning of what got

I disagree, but I realize that I am thinking of the signed location in the
sense of the above paragraph.  The signed location is the "original" which
may or may not still exist.

Although this was not a 'big' point as I am more concerned about allowing
core behavior to dig up the bits, this is obviously a point on which we must
agree to disagree.  To me, a signature should sign what the signer intends
it to sign.  The URI is signed because of a design limitation in our core,
not because the user intended to sign it.  The solution is a brutal hack
because it tries to fix the problem by saying that
URI="http://www.somespecificcompany.com/somespecificdocument.txt" does not
have a set meaning. To me this is like curing the disease by amputation.  In
the world of medicine, it works and is sometimes necessary, but it is brutal
and only used as a last resort.  We should not consider this option when
there are at least two better options on the table.

John Boyer
Software Development Manager
UWI.Com -- The Internet Forms Company

Received on Wednesday, 24 November 1999 16:07:35 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:32 UTC