W3C home > Mailing lists > Public > w3c-xml-sig-ws@w3.org > April 1999

RE: unparsed entities

From: Richard D. Brown <rdbrown@GlobeSet.com>
Date: Wed, 7 Apr 1999 19:20:19 -0500
To: "'John Boyer'" <jboyer@uwi.com>
Cc: "'Dsig group'" <w3c-xml-sig-ws@w3.org>
Message-ID: <002c01be8155$96a8ca00$0bc0010a@artemis.globeset.com>
John,

> If, on the other hand, a signature manifest states that
> certain external
> entities should be packaged into the signature element as
> subelements, then

A signature Manifest does not drive the signature computation process. It
only reports about it so that signature verification can be done. The
Manifest consists of the element that is actually authenticated.
Authentication of other elements is indirect (at least in my proposal).

However, you raise one point that is quite interesting: should we provide
the ability to identify authenticated resources in the Manifest either by
means of a reference (XML Link and Hash) or by value (package sub-element)?
This is a bit different from what I have proposed: packaging can be done but
outside the Manifest.

Nonetheless, this does not really change my opinion regarding the fact that
the Signature Standard shall not require the signature engine to "chase"
given external entities. Somewhere I feel that our divergence may be due to
different concept regarding the API that is used at the end.

Are you contemplating something so that in final you sign an XML document
that is input as a stream in the signature engine?

  SignatureEngine engine =new SignatureEngine();
  engine.setParameter(...);
  engine.encode(inputStream, outputStream); // envelope approach (i.e.
S/MIME)

Or do you envision something where you explicitly indicate the elements (or
resources) that should be authenticated?

  Signature sig =new Signature();
  sig.setParameter(...);
  sig.addResource(element1);
  sig.addResource(element2);
  Element xsig =sig.encode();

-- Please apologize for these nasty code snippets. They are strictly
intended for illustrative purposes. --

In the first case, the standard must specify global attributes to identify
which elements must be authenticated. In the second case, this is the matter
of the application layer to identify these elements. Which approach has been
adopted for XFDL?

Sincerely,

Richard D. Brown
Software Architect - R&D
GlobeSet, Inc. Austin TX - U.S.
Received on Wednesday, 7 April 1999 20:19:48 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 11:28:03 EDT