- From: John Boyer <jboyer@uwi.com>
- Date: Thu, 29 Jul 1999 12:50:07 -0700
- To: "Mark Bartel" <mbartel@thistle.ca>, <w3c-ietf-xmldsig@w3.org>
On that last one, I didn't finish the first set of comments due to a distraction. Here it is. <John> It seems preposterous to say that most applications will not care about the order of the elements in a conversation about digital signatures. For starters, it is wrong on a theoretical level. Like it or not, the XML 1.0 spec does not forbid extensions languages from deriving meaning based on the order in which the elements appear. If you want that, use RDF. Second, it is wrong on a technical level. A hash itself is sensitive to the order of the substrings within a given message to be hashed. Third, it's wrong on a practical level, namely that you have not provided any evidence of having sampled lots of applications. For example, the single largest body of applications based on any kind of markup are HTML forms, and they care very much about order. Even with separation of data and presentation in XHTML forms (should it ever get built or supported), the presentation must still be signed along with the data (and the manifest notion in the Brown draft clearly allows for this). Hence order will matter in the presentation signature. Most importantly, there is no sampling from applications yet to come. If I can come up with valid, well-formed XML, we should be able to sign it even if we don't like the markup language design. Signatures should not break because we don't like this or that part of what XML allows. So, given that it isn't actually all that hard to write software that does the things I'm describing (UWI has been doing it for almost two years now!), why not see if we can conceive of a signature syntax that does a good job on any valid, well-formed XML? John Boyer Software Development Manager UWI.Com -- The Internet Forms Company </John>
Received on Thursday, 29 July 1999 15:50:06 UTC