Re: reference mechanisms in "XML-Signature Requirements" from Joseph M. Reagle Jr. on 1999-07-20 (w3c-ietf-xmldsig@w3.org from July to September 1999)

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Tue, 20 Jul 1999 17:22:23 -0400
To: Dan Connolly <connolly@w3.org>
Cc: w3c-ietf-xmldsig@w3.org
Message-Id: <3.0.5.32.19990720172223.009dc580@localhost>

At 04:17 PM 7/13/99 -0500, Dan Connolly wrote:
 >It's a real pain that between RFC1630 and RFC2396, the
 >term "URI" got changed from including the #fragmentID
 >to not including it, but there you are.

Ahh... now I partly understand the root of the inconsistencies I've seen.

 >The HTML 2.0 spec uses the term "anchor address"
 >to mean an absolute URI with an optional fragment identifier.
 >You can use that, or define the term "web address"
 >analagously.

I'd rather not invent a term, and people find "web *" to imply it is a
network accessible resource ...

 >You might be trying to use the term "XML locator" to
 >mean just that:
 >
 >
 >	XML-Signature referents are identified with
 >        XML locators (URIs or fragments)
 >
 >But note that it (currently) doesn't;
 >it proposes a sort of extension to URIs using the |
 >to signal some new semantics. Did you mean to
 >include this new | feature?
 >
 >http://www.w3.org/TR/1998/WD-xlink-19980303#addressing

This is a worthwhile reread. However, as an XML application that is XML link
savy, I'd have to say we mean locator, I've stuck that in.. However, based
on the FTF meeting, I've added the following because people are fairly
frightened of the ambiguities presently.

!The WG may specify security requirements that constrain the operation of 
!these dependencies to ensure consistent and secure signature generation 
!and operation. [Oslo}

>Anyway... I suggest you strike "Whenever possible" from

Good idea.

 >and replace
 >	Ability to specify algorithms independently and to
 >	reference the algorithms linked to standard algorithm
 >	specifications (e.g. OIDs)
 >
 >with a note saying that if you want to use a signature
 >algorithm in conjuction with XML-signature, you've got
 >to define a URI for it. Hmm... seems we're lacking
 >a spec for oid: URIs. Easy enough to fix... just
 >write a little spec like the uuid: URI scheme.

At the FTF, people were of the mind they wanted to avoid OIDs per-se and I
agree, but I -- at least -- am a bit fuzzy as to the point of casting an OID
as a URN which is a URI. Perhaps necessary, but not quite sure what it
solved.

_________________________________________________________
Joseph Reagle Jr.   
Policy Analyst           mailto:reagle@w3.org
XML-Signature Co-Chair   http://w3.org/People/Reagle/

Received on Tuesday, 20 July 1999 17:22:22 UTC