- From: Winchel 'Todd' Vincent, III <winchel@mindspring.com>
- Date: Tue, 11 Apr 2000 17:52:39 -0400
- To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Joseph: Thank you very much for this post. This reflects what the group agreed early on and was one of my primary concerns. You have stated the proposition extremely well. I support something in the spec that would discourage people from using <SignatureProperties>. Your example is reflective of the real-world distinction between documents and signatures. Documents (and surrounding circumstances) convey meaning. A signature is merely evidence of an act that signifies one of many flavors of intent (acceptance, acknowledgment, authorship, etc., etc.) with respect to what is in the document (and surrounding circumstances). Trying to capture "intent" is not something that can be done in a standard (at least not with current technology :-) Thanks, Todd > Presently, the specification speaks of using SignatureProperties as a > potential way for one to introduce semantics beyond the simple signature > semantic. (When people speak of "I signed this," they often imply an > additional semantic of vouch, believe, assert, assure, authored, etc. Our > design avoids this and sticks to the meaning of the signature: message and > signer authentication.) > > Use of SignatureProperty is useful, but a bit awkward. In discussions with > Taka on using XML Signature with CC/PP he formulated an example (that was > integrated with RDF fairly well) that I very much liked. To place the idea > into a closer application domain: > > <checkbook> > <check Id="check101"> > <account>xyz</account> > <name>reagle</reagle> > <amount currency="USD">50</amount> > <authorized by="#Signature101"/> > </check> > <Signature Id="Signature101" xmlns="http://www.w3..."> > ... > <Reference URI="check101"/> > ... > </Signature> > </checkbook> > > Clearly, the signature still keeps its simple meaning. It's the application > that defined and verifies what "authorized by" means, as it should be. The > only difference between this and SignatureProperty is the placement of the > syntax (in the application data instead of in the Signature). > > The short of this though, is that since I that I think we should encourage > people to use the approach captured in the example above, I'd like to > include a few sentences and an example similar to the above such that we > aren't unduly encouraging people to use SignatureProperty. > > BTW: I'm not speaking to the standardization of the syntax and semantics of > things like assuredby. For the time being, I think applications will do it > on their own. It'd be good to standardize on, but presently, whatever is > done can be used directly in the application XML or the SignatureProperty as > appropriate. (The desire for standardizing signature semantics is orthogonal > to the design of the facility, which we've been focusing on.) > > _________________________________________________________ > Joseph Reagle Jr. > W3C Policy Analyst mailto:reagle@w3.org > IETF/W3C XML-Signature Co-Chair http://www.w3.org/People/Reagle/ >
Received on Tuesday, 11 April 2000 17:49:50 UTC