Application Specific Semantics in Signatures from Joseph M. Reagle Jr. on 2000-04-11 (w3c-ietf-xmldsig@w3.org from April to June 2000)

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Tue, 11 Apr 2000 17:18:17 -0400
To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Cc: ohto@w3.org
Message-Id: <3.0.5.32.20000411171817.00c22a70@localhost>

Presently, the specification speaks of using SignatureProperties as a
potential way for one to introduce semantics beyond the simple signature
semantic. (When people speak of "I signed this," they often imply an
additional semantic of vouch, believe, assert, assure, authored, etc. Our
design avoids this and sticks to the meaning of the signature: message and
signer authentication.)

Use of SignatureProperty is useful, but a bit awkward. In discussions with
Taka on using XML Signature with CC/PP he formulated an example (that was
integrated with RDF fairly well) that I very much liked. To place the idea
into a closer application domain:

<checkbook>
  <check Id="check101">
    <account>xyz</account>
    <name>reagle</reagle>
    <amount currency="USD">50</amount>
    <authorized by="#Signature101"/>
  </check>
  <Signature Id="Signature101" xmlns="http://www.w3...">
    ...
    <Reference URI="check101"/>
    ...
  </Signature>
</checkbook>

Clearly, the signature still keeps its simple meaning. It's the application
that defined and verifies what "authorized by" means, as it should be. The
only difference between this and SignatureProperty is the placement of the
syntax (in the application data instead of in the Signature).

The short of this though, is that since I that I think we should encourage
people to use the approach captured in the example above, I'd like to
include a few sentences and an example similar to the above such that we
aren't unduly encouraging people to use SignatureProperty.

BTW: I'm not speaking to the standardization of the syntax and semantics of
things like assuredby. For the time being, I think applications will do it
on their own. It'd be good to standardize on, but presently, whatever is
done can be used directly in the application XML or the SignatureProperty as
appropriate. (The desire for standardizing signature semantics is orthogonal
to the design of the facility, which we've been focusing on.)

_________________________________________________________
Joseph Reagle Jr.   
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/

Received on Tuesday, 11 April 2000 17:18:21 UTC