- From: Richard D. Brown <rdbrown@Globeset.com>
- Date: Wed, 21 Jul 1999 13:54:18 -0500
- To: "'Joseph M. Reagle Jr.'" <reagle@w3.org>
- Cc: "'Dan Connolly'" <connolly@w3.org>, "'IETF/W3C XML-DSig WG'" <w3c-ietf-xmldsig@w3.org>
> > So the XML Package includes the encoding algorithm and source > locator, as > well as the encoded form, which encapsulated the PDF file. > Now what does the > actual signature manifest locator point to: the package or > the source? If > the source then it might not know to look in the package; if > the package, it > should sign the package. Part of the issue here is to what > degree does the > URI speak of the location and/or encoding? The Manifest point to the source. The application expects (this was an application level issue) a Package element with the same resource locator. Recall that the XMLDSIG specification does not cover verification of the resources pointed by the Manifest. This is left to the application layer. > > ------- > _XML Package (ID=package) > : encoding algorithim > : resource locator > ____ > _Encoding form > _______ > _PDF File (ID=source) > > I think my preferred solution would be a statement about a > statement: (I > sign (I am the package/encoded form of (I am a contractual > statement))) ... ? > In this case, you still sign the encoded version of the document, not the original content. Sincerely, Richard D. Brown
Received on Wednesday, 21 July 1999 14:54:43 UTC