W3C home > Mailing lists > Public > w3c-xml-sig-ws@w3.org > April 1999

MIME Blobs

From: <rhimes@nmcourt.fed.us>
Date: Wed, 07 Apr 1999 19:02:45 -0700
Message-Id: <9904079235.AA923533456@nmcourt.fed.us>
To: <w3c-xml-sig-ws@w3.org>
     
     I've encountered a related difficulty in a specification I'm working 
     on at
     
     http://www.nmcourt.fed.us/xci/xcispec.htm
     
     in which I'm defining a protocol for exchange of information between a 
     court and attorneys, including electronic filing.  The problem is that 
     our court is currently accepting electronic filings in PDF format.  We 
     want the PDF documents signed in their native format (i.e. as close to 
     presentation format as possible).  If the PDF document were packaged 
     within XML, it would presumably be base64 encoded and tagged with a 
     MIME package element (type="application/pdf").  The problem is that I 
     need to include the signature of the source PDF in the XML document, 
     not the base64 version with the tags, and I'd like to do it in a 
     "standard" way.
     
     Other applications may run into this same problem, where the encoded 
     content is application-specific but signed in its native format.  An 
     example may be future e-mail systems using MIME.
     
     I would like the standard to include the ablility to specify that a 
     hash (signature) is applied only to the unencoded content of a MIME 
     package (the original binary blob) without having to write it 
     externally for verification.
     
     Rich Himes <rhimes@nmcourt.fed.us>


______________________________ Reply Separator _________________________________
Subject: Re: unparsed entities 
Author:  <w3c-xml-sig-ws@w3.org> at ~Internet
Date:    4/7/99 5:50 PM


Hi Richard,
     
     
>John,
>
>What is being signed shall be explicitly specified in the signature 
manifest
>by means of XML links. Thus, if an external/unparsed entities needs to be 
>embedded into the signature process then this entity shall be packaged into 
>the document and a link to the package element shall be inserted in the 
>signature manifest. Conversely, if you can suffice with an external 
>reference to the resource, but still want to bind the actual value of this 
>resource into the signature process then you should insert both the hash 
and
>the reference to this external entity into the signature manifest. Notice 
>that you should not expect the "signature engine" to verify that the hash 
of
>the external entity matches with the one inserted in the signature 
manifest.
>An implementation that complies with the standard should only assess that 
>the signature value is valid in regard to the signature manifest. It falls 
>under the responsibility of the application layer to verify the actual 
value
>of the external entity.
     
The external entities, once packaged into the document, can be signed 
directly by simply regenerating a portion of the document that happens to 
include the elements containing the packaged external entities.
     
Received on Wednesday, 7 April 1999 21:04:50 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 11:28:03 EDT