- From: Karl Scheibelhofer <Karl.Scheibelhofer@iaik.at>
- Date: Tue, 28 Aug 2001 08:28:23 +0200
- To: "Dournaee, Blake" <bdournaee@rsasecurity.com>
- Cc: "XMLSigWG" <w3c-ietf-xmldsig@w3.org>
you will agree that, first, your example does not really reflect the usual use-case. second, i would not recommend anyone to structure a document in such a wired and inconvenient manner. third, the Target attributes do not help you a lot in that case. because the application normally searches for signatures and there it has to dereference all Reference elements in the SignedInfo of each Signature. therefore, it knows, which Signature signs what content and what SignatureProperty. if you are coming from the other direction - the application has the SignatureProperties and wants to know, what Signature covers what SignatureProperty - the application may follow the Target reference. nevertheless, it has to verify if the Signature really has a Reference to that SignatureProperty. moreover, if the application in your example wants to have more than one Signature to cover the same SignatureProperty, you cannot set a Target reference. it can be a many-to-one reference, if several Signatures sign the same SignatureProperty. and if you cannot share SignatureProperties among several Signautre elements, it does not make sense to place them in a manner as your example shows. in my opinion, the Target reference attribute should be 'optional' rather than 'required'. regards Karl -- Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at> Institute for Applied Information Processing and Communications (IAIK) at Graz University of Technology , Austria, http://www.iaik.at and http://jcewww.iaik.at Phone: (+43) (316) 873-5540 > -----Original Message----- > From: Dournaee, Blake [mailto:bdournaee@rsasecurity.com] > Sent: Monday, August 27, 2001 9:19 PM > To: 'Karl Scheibelhofer'; Donald E. Eastlake 3rd > Cc: XMLSigWG > Subject: RE: Why is the Target attribute in SignatureProperty required? > > > Karl, > > What if a document contains many <Signature> elements and many > <SignatureProperties> elements? > > This is what I'm thinking of: > > <Sigs> > <Signature Id="Sig1> > ... > </Signature> > > <Signature Id="Sig2> > ... > </Signature> > > <Signature Id="Sig3> > ... > </Signature> > > <Signature Id="Sig4> > ... > > <Object> > <SignatureProperties> > <SignatureProperty Id="Prop1" Target="#Sig1"> > ... > </SignatureProperty> > > <SignatureProperty Id="Prop2" Target="#Sig2"> > ... > </SignatureProperty> > > <SignatureProperty Id="Prop3" Target="#Sig3"> > ... > </SignatureProperty> > > ] </SignatureProperties> > > </Object> > > </Signature> > </Sigs> > > In my example above, the last signature contains three sets of assertions > that do not relate to Sig4, but do relate to the other <Signature> child > elements. > > > Blake Dournaee > Toolkit Applications Engineer > RSA Security > > "The only thing I know is that I know nothing" - Socrates > > > > > -----Original Message----- > From: Karl Scheibelhofer [mailto:Karl.Scheibelhofer@iaik.at] > Sent: Monday, August 27, 2001 6:31 AM > To: Donald E. Eastlake 3rd > Cc: XMLSigWG > Subject: RE: Why is the Target attribute in SignatureProperty required? > > > sorry, i canot follow your argumentation. > if my SignedProperties is inside the Object element of a > signature, i really > do not need this reference. even though, i must set it, because it is > required (however, the ID of the signature itself is optional). > if the target is present, the application must nevertheless check if this > SignedProperties is really covered by a reference in the > signature, when it > verifies the signature. the Target attribute does not relly help in many > cases. i agree that there might be applications where it is useful to have > such a Target attribute, but it should be optional rather than reuqired, i > think. > this Target is only useful in applications where you have separated > SignedProperties and you need to find the signature which signs > it. i think > that this is not common practice. normally you need to come from the other > direction - you have the signature and get the SignedProperties of it, for > which you use the references directly. > > regards > > Karl > > -- > > Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at> > Institute for Applied Information Processing and Communications (IAIK) > at Graz University of Technology , Austria, http://www.iaik.at and > http://jcewww.iaik.at > Phone: (+43) (316) 873-5540 > > > -----Original Message----- > > From: Donald E. Eastlake 3rd [mailto:dee3@torque.pothole.com] > > Sent: Monday, August 27, 2001 3:13 PM > > To: Karl Scheibelhofer > > Cc: XMLSigWG > > Subject: Re: Why is the Target attribute in SignatureProperty required? > > > > > > > > If it appears inside a Signature, a SignatureProperty could apply > > to that signature or separately to any one of the References. If > > it appeared outside of a Signature, it could apply to any singature > > or reference in the world. You need Target to tell what's going on. > > > > Donald > > > > > > From: "Karl Scheibelhofer" <Karl.Scheibelhofer@iaik.at> > > To: "XMLSigWG" <w3c-ietf-xmldsig@w3.org> > > Date: Mon, 27 Aug 2001 14:47:44 +0200 > > Message-ID: <NDBBJJNFOMNNKFDPLCDJGEJACLAA.Karl.Scheibelhofer@iaik.at> > > > > >hi, > > > > > >can anyone explain, why the Target attribute in the > > SignatureProperty type > > >is required and not optional? i can see no obvious reason to make this > > >attribute required. > > > > > >regards > > > > > > Karl > > > > > >-- > > > > > >Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at> > > >Institute for Applied Information Processing and Communications (IAIK) > > >at Graz University of Technology , Austria, http://www.iaik.at and > > >http://jcewww.iaik.at > > >Phone: (+43) (316) 873-5540 > > > > > > > > >
Received on Tuesday, 28 August 2001 02:28:07 UTC