W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2000

Re: Application Specific Semantics in Signatures

From: Winchel 'Todd' Vincent, III <winchel@mindspring.com>
Date: Tue, 11 Apr 2000 17:52:39 -0400
Message-ID: <010001bfa400$41c63fd0$d29f6083@ECTFILELT>
To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Joseph:

Thank you very much for this post.  This reflects what the group agreed
early on and was one of my primary concerns.  You have stated the
proposition extremely well.  I support something in the spec that would
discourage people from using <SignatureProperties>.

Your example is reflective of the real-world distinction between documents
and signatures.  Documents (and surrounding circumstances) convey meaning.
A signature is merely evidence of an act that signifies one of many flavors
of intent (acceptance, acknowledgment, authorship, etc., etc.) with respect
to what is in the document (and surrounding circumstances).  Trying to
capture "intent" is not something that can be done in a standard (at least
not with current technology :-)

Thanks,

Todd



> Presently, the specification speaks of using SignatureProperties as a
> potential way for one to introduce semantics beyond the simple signature
> semantic. (When people speak of "I signed this," they often imply an
> additional semantic of vouch, believe, assert, assure, authored, etc. Our
> design avoids this and sticks to the meaning of the signature: message and
> signer authentication.)
>
> Use of SignatureProperty is useful, but a bit awkward. In discussions with
> Taka on using XML Signature with CC/PP he formulated an example (that was
> integrated with RDF fairly well) that I very much liked. To place the idea
> into a closer application domain:
>
> <checkbook>
>   <check Id="check101">
>     <account>xyz</account>
>     <name>reagle</reagle>
>     <amount currency="USD">50</amount>
>     <authorized by="#Signature101"/>
>   </check>
>   <Signature Id="Signature101" xmlns="http://www.w3...">
>     ...
>     <Reference URI="check101"/>
>     ...
>   </Signature>
> </checkbook>
>
> Clearly, the signature still keeps its simple meaning. It's the
application
> that defined and verifies what "authorized by" means, as it should be. The
> only difference between this and SignatureProperty is the placement of the
> syntax (in the application data instead of in the Signature).
>
> The short of this though, is that since I that I think we should encourage
> people to use the approach captured in the example above, I'd like to
> include a few sentences and an example similar to the above such that we
> aren't unduly encouraging people to use SignatureProperty.
>
> BTW: I'm not speaking to the standardization of the syntax and semantics
of
> things like assuredby. For the time being, I think applications will do it
> on their own. It'd be good to standardize on, but presently, whatever is
> done can be used directly in the application XML or the SignatureProperty
as
> appropriate. (The desire for standardizing signature semantics is
orthogonal
> to the design of the facility, which we've been focusing on.)
>
> _________________________________________________________
> Joseph Reagle Jr.
> W3C Policy Analyst                mailto:reagle@w3.org
> IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/
>
Received on Tuesday, 11 April 2000 17:49:50 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:09 GMT