RE: multilevel references from Ed Simon on 2000-02-28 (w3c-ietf-xmldsig@w3.org from January to March 2000)

From: Ed Simon <ed.simon@entrust.com>
Date: Mon, 28 Feb 2000 13:04:32 -0500
To: 'Reiner Hüttl' <reiner.huettl@ixos.de>, "'w3c-ietf-xmldsig@w3.org'" <w3c-ietf-xmldsig@w3.org>
Message-ID: <01E1D01C12D7D211AFC70090273D20B101C4AA6C@sothmxs06.entrust.com>

If secondary references need to be signed, the application needs to discover
those references itself and create a <Reference> element for each one.
Basically, XML, HTML, and other data may include a variety of different
types of references and it would likely be technically infeasible to require
Signature engines to be able to understand all the existing and potentially
new methods of inclusion.

As well, though a data instance may include external references that, by
default, would be used in the presentation of the data, that may not only be
the case.  For example, a different stylesheet may be applied for different
types of display devices and differently-abled users.  Basically, when
writing the spec, one has to decide which capabilities should be in the
domain of the Signature spec and which should be left to the application
domain.  I believe secondary references are most appropriately left in the
application domain at this time.

Regards, Ed

-----Original Message-----
From: Reiner Hüttl [mailto:reiner.huettl@ixos.de]
Sent: Monday, February 28, 2000 11:52 AM
To: 'w3c-ietf-xmldsig@w3.org'
Subject: multilevel references


In the draft of 18-February-200 for every referenced object the digest is
calculated and inserted in the SignedInfo Element including identification,
transforms and algorithm information. 
In XML some of the referenced objects contain further references (e.g. an
XSL-object may reference a another XSL, a CSS or Images). These references
have to be included in the signature too, because otherwise I can exchange
e.g. images and therefore the presentation of the XML-document.

How will the draft consider multilevel-references ?
Do I have to follow the complete chain of references?
How can I distinguish a "firstlevel" reference from a "secondlevel"
refernce?

> -----------------------------------------------------------
> Dr. Reiner Hüttl
> Project Manager
> Innovation
> 
> IXOS SOFTWARE AG
> Technopark Neukeferloh
> Bretonischer Ring 12
> D-85630 Grasbrunn/München
> Phone: +49.(0)89.4629.1348
> Fax: +49.(0)89.4629.33.1348
> World Wide Web: http://www.ixos.com/deutschland
> E-Mail: reiner.huettl@ixos.de
> 
> 
>

Received on Monday, 28 February 2000 13:18:28 UTC