- From: John Boyer <jboyer@uwi.com>
- Date: Wed, 21 Jul 1999 16:12:08 -0700
- To: "DSig Group" <w3c-ietf-xmldsig@w3.org>
> >... which just goes to show that "the content of a Web resource" > >is a definite description error, like saying "the arm of the man." > >Which arm? >I don't buy this. To the question of "which arm" the answer is the arm with >the following fingerprint (hash). Yes, but we don't want a digital signature system that has to search around for something matching a given hash until it finds the content that the signature 'must have' been referring to. If a signature is created that includes a hash of something indicated by the URI, and someone later changes the content at the URI, then the signature is broken. When the content addressed by a URI is known to be volatile, the only reasonable option is to take a copy of the content and put it into the document. Taking a copy could be viewed as an application level task. However, I think it would be easier for those who must write a signature manifest if they could give a URI, but mark it as volatile (e.g. using an attribute). Then, the algorithm that creates the signature would know to do the following: 1) obtain the content, 2) store it in a local element within the document, and 3) change the URI in the manifest to point to the local element before creating the hash of the manifest. John Boyer Software Development Manager UWI.Com -- The Internet Forms Company
Received on Wednesday, 21 July 1999 19:11:46 UTC