W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 2000

Re: DSIG Spec 4.3.3.1 - missing URI

From: merlin <merlin@baltimore.ie>
Date: Wed, 15 Nov 2000 09:54:19 +0000
To: w3c-ietf-xmldsig@w3.org, Ken Goldman <kgold@watson.ibm.com>
Message-Id: <E13vzGl-0005jb-00@yog-sothoth>

Hi,

I think that most XMLDSIG implementations (certainly ours)
accept contextual information as a parameter to the
signing/verification process.

The resolution of an implicit reference (URI or node set)
is part of this contextual information.

Other relevant contextual information is a base URI against
which to resolve relative references, a security context in
which to resolve keying information, etc.

I think you will find that an external "reference resolver"
is a fairly typical form for this part of the contextual
information. Applications can configure and/or implement this
resolver as appropriate for their needs; specifying, in
particular, how to resolve implicit references.

Merlin

r/kgold@watson.ibm.com/2000.11.08/16:51:15
>Now that I'm clear on what a Reference without a URI does, here's what
>I was trying to ask in #2 and #3.
>
>A generic DSIG verifier would presumably be passed a document and
>would come back with a pass/fail result.  When this generic code came
>across a Reference without a URI, it would have no way to follow the
>Reference, no way to verify the hash, and therefore no way to verify
>the signature.  The application would have no way to pass in a URI
>parameter or octets.
>
>I suspect a similar problem with a signer.
>
>This is based on my guess on how a signer/verifier would work.  I'd
>like to hear opinions from people who have implemented, or plan to
>implement, a DSIG signer or verifier.  Do you plan to handle a
>Reference without a URI attribute?
Received on Wednesday, 15 November 2000 04:55:19 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:11 GMT