W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 1999

Summary of Closure Argument

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Tue, 21 Sep 1999 15:39:16 -0400
Message-Id: <>
To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Cc: Tim Berners-Lee <timbl@w3.org>, swick@w3.org
Summary of "Closure" from my Point of View:

I think I now understand John's closure. While a document might be
well-formed and valid XML and while that particular document meets the
grammatical constraints of its schema definition, it is not yet complete in
the eyes of the application. For example, consider an application that
requires two signature on a blob. The first signer creates a valid and
well-formed signed XML document (D1) that abides by the production rules of
its schema definition. The first signer then sends it to the second party
who also signs it creating (D2). Somehow there was a "closure specification"
that effects the following property: only transformations of type
(X.permitted) will transform (D1) into (D2). XPath can be used to write
(X.permitted). "Thus, if person A signs an unfinished document, then the
signature filters can be set up to describe precisely what is allowed to
change after Person A's signature in order to achieve closure on the
document." [1] (I could imagine one trying to do this in the data model or
schema definition language, defining transformations between the data
models. Ralph?)

Don's disagreement seems to be that this can be a useful property and XPath
is a way to do it, but that a complement to XPath (not a exclusive option)
is to use dsig:target to set the boundaries of the scope XPath will use. It
doesn't give you closure but it does define the scope of the signature: "so
why do you argue so much against optional markers which just provide another
way to use XPath, a way that is not appropriate for closure applications but
is appropriate for other applications and in particular for a different
requirement that there seems to be no other way to met? " [2]

John does not seem convinced that the use of the dsig:target makes anything
simpler. In fact, to express that scope within XPath requires the sibling
axes, which might be easier to not bother with regardless and asks: "But how
does this substantiate the point that we should have two different semantics
for how the message to be signed and verified is generated?"

Consequently, I think the issue is: is XPath required?:

(1) if we require XPath, we might as well use the XPath to do the job and
not confuse it (or bring in the sibling axis) with dsig:target.

(2) if XPath is only optional, others might want to use regexp type stuff
and dsig:target. However, those that use XPath won't have their signatures
readable by those who opted not to use it, and they now might use the
sibling axis to implement dsig:target.

[1] http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/1999JulSep/0295.html
[2] http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/1999JulSep/0300.html
[3] http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/1999JulSep/0299.html

Joseph Reagle Jr.   
Policy Analyst           mailto:reagle@w3.org
XML-Signature Co-Chair   http://w3.org/People/Reagle/
Received on Tuesday, 21 September 1999 15:39:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:09:56 UTC