- From: EKR <ekr@rtfm.com>
- Date: 27 Mar 2000 23:06:41 -0800
- To: "Joseph M. Reagle Jr." <reagle@w3.org>
- Cc: Ed Simon <ed.simon@entrust.com>, w3c-ietf-xmldsig@w3.org
"Joseph M. Reagle Jr." <reagle@w3.org> writes:
> http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0226.html
> You can't do enveloped or partial documents signatures really without
> operating in the XML as XML paradigm, if that frightens you from a
> security point of view, use detached. (Or see Phil's comment:
> http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0246.html
I don't read Phill's comment this way at all.
Rather, as I read it, Phill was describing how to adapt
an XML as object tree implementation to do signatures over
character strings by treating the signed data as an opaque
string. I understood him to be arguing for what you're calling
an "XML as character string" representation. Phil, do I have
you right?
FWIW, I'm extremely uncomfortable with the idea of requiring
full C14N. It moves the trust boundary uncomfortably far away
from the signature module. Doing partial decomposition
as Phill describes is standard practice in the ASN.1 community
and I don't see why it should be any more difficult in XML.
If it is, then the problem is bad tool design, IMHO.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
PureTLS - free SSLv3/TLS software for Java
http://www.rtfm.com/puretls/
Received on Tuesday, 28 March 2000 02:05:35 UTC