- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Thu, 26 Aug 1999 14:31:19 -0400
- To: relyea@netscape.com (Bob Relyea)
- Cc: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>, IETF/W3C XML-DSig WG <w3c-ietf-xmldsig@w3.org>
At 10:24 99.08.26 -0700, Bob Relyea wrote:
>semantics of the signature itself. The working group has continued to push
>off the semantics of the signature to the application. If this is the case,
>only the application can choose appropriate c14n algorithms -- and then can
>only interoperate with other applications that agree with its definition of
>the semantics of the signature.
"The meaning of a signature is simple: The XML-signature syntax associates
the content of resources listed in a manifest with a key via a strong
one-way transformation. " We of course may wish to generalize this to
"associates content" -- regardless of a manifest. The semantics of the stuff
we sign is tricky, we'll have to address some of this for a c14n, manifest,
package, and reference -- and this is where we are things get tricky; so we
want to intrude into this domain minimally. We want to punt on application
semantics all-together.
>But interoperability implies that applications agree on the semantics of
the
>signature as well.
Right, so we are (as lightly as possible) touching on the semantics of
{c14n, manifest, package, and reference} so as to provide a minimal set of
interoperable trust assertion/evaluation functionality. c14n is actually
different than the other 3 in that I do believe it could be done completely
at the application level. If we bungle the definitions of manifest, package,
and reference it makes it difficult for other people to extend what we've
done in terms of data-model/assertions.
_________________________________________________________
Joseph Reagle Jr.
Policy Analyst mailto:reagle@w3.org
XML-Signature Co-Chair http://w3.org/People/Reagle/
Received on Thursday, 26 August 1999 14:31:24 UTC