RE: comments on 990806 Requirements Doc from John Boyer on 1999-08-17 (w3c-ietf-xmldsig@w3.org from July to September 1999)

From: John Boyer <jboyer@uwi.com>
Date: Tue, 17 Aug 1999 13:30:46 -0700
To: "Joseph M. Reagle Jr." <reagle@w3.org>, <dee3@us.ibm.com>
Cc: "Richard D. Brown" <rdbrown@Globeset.com>, "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Message-ID: <NDBBLAOMJKOFPMBCHJOIIELPCAAA.jboyer@uwi.com>

[Comments to an email from  Don, that hasn't yet made it to the list.]

At 13:21 99/08/17 -0400, dee3@us.ibm.com wrote:
 >2.2:  Suggest changing "The manifest includes..." to "The manifest must
 >support..." so as to permit other types of manifest.

Manifests that don't use URIs? If so, what would be the example?

<John>The examples are forthcoming in the scenarios document.  For one, the
IMPP example in the copy of the woefully incomplete scenarios document you
have already. </John>

 >3.1.2: Assumes the manifest of locators model.  Perhaps simply changing
 >"XML-signatures apply ..." to "XML-signatures may apply..." would give the
 >flexibility needed to accodate other models.

What other models are we speaking of?

<John> For example, having the signature directly sign the data by
enveloping the data inside of the manifest. </John>

<snip>

 >3.2.1: Suggest simply replacing "document" with "element" and dropping the
boxed
 >comment.

Now reads, "An XML-signature must be a well-balanced XML region (as defined
by XML-Fragment) that begins and ends with a signature element. [Charter]"

<John>Fragments are still in working draft.  Who knows, a fragment may
change at some point in the future to include non-continuous regions</John>

 >Boxed comment at the end of 3.4: I don't see that packaging is that
dependent on
 >trust/semantic definitions.  Since there are fragment and package WGs, why
isn't
 >coordination with them adequate?

(At 4.2. Package might start next year, and Boyer doesn't think the fragment
work is sufficient, so I'm flagging these as particularly salient
dependencies.

<John> I think that fragments are almost sufficient except they can't
specify non-continuous regions.  If they could, then the construction of a
fragment would completely satisfy all of my concerns since they already
capture the ancestor element information like tags, attributes and element
depth.

Deep in one of Richard's prior posts, it is suggested that the exclusion
technique (which is what I really want) could be done as c14n parameters.
I'd like this only if it were mandatory to implement so that all XML DSig
compliant applications could understand the signatures I have to create
every day. Another possibility is that someone mentioned to me that the
recent overhaul of XPointer includes the ability to specify non-continuous
regions of the XML resource.  If this could be combined with fragments, then
it would also be sufficient to solve the problems I raised previously about
ancestor information and element order being captured in the signature.
</John>

_________________________________________________________
Joseph Reagle Jr.
Policy Analyst           mailto:reagle@w3.org
XML-Signature Co-Chair   http://w3.org/People/Reagle/

Received on Tuesday, 17 August 1999 16:31:34 UTC