- From: Richard D. Brown <rdbrown@Globeset.com>
- Date: Wed, 28 Jul 1999 18:45:03 -0500
- To: "'Richard Himes'" <rhimes@nmcourt.fed.us>
- Cc: <w3c-ietf-xmldsig@w3.org>
Richard, > > I don't know what you mean by the general problem, Richard. > Would the "general" > solution be intractable or would it be a significant > diversion? Or would it be > cleaner? Unfortunately, I cannot answer this question. The current solution is obviously outside the scope of XMLDSIG specification and very much application-specific, though this "XML packaging" practice could be sometimes standardized (very similar in functionality to S/MIME). > I was wondering if it would be reasonable to use an > internal link, and > describe the situation in the manifest (i.e. the hash is on > the unencoded > content of the thing pointed to by the locator) rather than > using a common > origin/href value. > I am afraid that this approach might be a bit too much specific. In fact, I start to doubt about the actual benefit of hashing the unencoded content. In final, you sign the canonical representation of the Manifest and not the hash. Therefore, in order to sustain a claim, you will have to establish/demonstrate/prove the construction of the signature WRT to the original document, the signer key/credential, and the cryptograpic algorithms. Adding one step in the demonstration is not necessarily the/a problem (thoughts...) Cheers, Richard D. Brown
Received on Wednesday, 28 July 1999 19:45:11 UTC