- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Wed, 21 Jul 1999 13:33:15 -0400
- To: Dan Connolly <connolly@w3.org>
- Cc: IETF/W3C XML-DSig WG <w3c-ietf-xmldsig@w3.org>
At 10:47 AM 7/21/99 -0500, Dan Connolly wrote: >Yes, you can have a Web resource that is "the current edition >of the USA Today" but there's no one digital signature that >works for such a resource over time. A particular digital signature >applies to the content of that resource as of this morning, >or as of yesterday morning, but not both. Ok, I like this distinction. (Though I still wonder what makes a resource a resource, the fact that it has a URI -- question is re-asked below) >> >So I'd suggest replacing that "signatures on Web resources" >> >with "signatures on digital content." So: >> >> This is certainly true. You can sign anything you can perform the >> cryptographic operation on. Is there a class of digital content that we >> don't wish to sign? No. Is there a class of digital object that we can't >> sign? Yes, that which is not addressable. > >Why don't you want to be able to sign documents that don't have >addresses? i.e. a document on stdin, or the following document: Because, (I believe) we are in actuality signing the manifest, which includes hashes of the resources. If you can't stick it in the manifest, how do you sign it? > <doc>Four score and seven years ago today</doc> > >I thought you did want to sign such content, hence >"portions of protocol messages" in the Introduction. This is terminology that Don introduced and I don't completely understand; I did speak to Don about it last week and understood it in as far as defining an application of signatures, but not on how one actually does this. I assume even a stream or protocol flow of XML stuff will be addressable in some way, if only through local fragment idenitifiers. Don, can you speak to this? Is there already an example in IOTP? >Another example of content that doesn't have an address: >the current contents of http://www.w3.org/. In a month >from now, the content of http://www.w3.org/ will (most likely) >change, and there isn't any URI that refers to the content >as of today (hm... actually, there is, but it's in our >internal CVS web space that we don't make generally available). To play devil's advocate: the content at http://www.w3.org/ certainly does have an address, it's "http://www.w3.org/." However, a month from now that content no longer exists, and different content is re-using it's address. I feel like we might be approaching the topic of "uniqueness" as well, which we've been meaning to chat about. Regardless, I like your distinction. For our purposes, are these the definitions? resource - digital content, all resources are addressable content - bytes delivered upon accessing a resource. not all content is addressible. uri - one way of addressing a resource given the specified production rules. locator is difficult and relates to my question of when you use a fragment identifier "#" or even the "|" which application is responsible for defining and handing the set of bytes to the signed-XML processor? >But in general, yes: a web resource that tells you what time it >is in Geneva is different from the string "4pm". Ok, I'll buy this. >... which just goes to show that "the content of a Web resource" >is a definite description error, like saying "the arm of the man." >Which arm? I don't buy this. To the question of "which arm" the answer is the arm with the following fingerprint (hash). _________________________________________________________ Joseph Reagle Jr. Policy Analyst mailto:reagle@w3.org XML-Signature Co-Chair http://w3.org/People/Reagle/
Received on Wednesday, 21 July 1999 13:33:14 UTC