W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 2001

Clarification on 4.3.3.1 -- elided URI attributes

From: Brian LaMacchia <bal@microsoft.com>
Date: Wed, 10 Oct 2001 11:13:54 -0700
Message-ID: <BCDB2C3F59F5744EBE37C715D66E779C02903034@red-msg-04.redmond.corp.microsoft.com>
To: <w3c-ietf-xmldsig@w3.org>
XMLDSIG Section 4.3.3.1 contains this paragraph which identifies when
you can elide the URI attribute on a Reference: 

If the URI attribute is omitted altogether, the receiving application is
expected to know the identity of the object. For example, a lightweight
data protocol might omit this attribute given the identity of the object
is part of the application context. This attribute may be omitted from
at most one Reference in any particular SignedInfo, or Manifest.

What is the justification for the restriction embodied in the last
sentence?  Once you elide a single URI attribute from a Reference,
you're guaranteed to be in an application-specific domain where the
verifier must have out-of-band knowledge to match up Reference and
referenced content.  Given that the receiving application has to know
how to find one referenced object, why can't it know implicitly how to
find multiple referenced objects and match them up?  Since we're talking
about application-specific context anyway there's no interop issue, so
what's the benefit of having the restriction on elided URLs? 

Unless there's a compelling reason to keep the restriction (which I
can't see), I suggest we remove it and delete the last sentence of the
quoted paragraph from 4.3.3.1.

					--bal
Received on Wednesday, 10 October 2001 14:15:33 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:14 GMT