W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 1999

RE: How to sign several resources (XML and XSL)?

From: Ed Simon <ed.simon@entrust.com>
Date: Wed, 22 Sep 1999 19:26:56 -0400
Message-ID: <01E1D01C12D7D211AFC70090273D20B105E775@sothmxs06.entrust.com>
To: "'David Burdett'" <david.burdett@commerceone.com>, "W3c-Ietf-Xmldsig (E-mail)" <w3c-ietf-xmldsig@w3.org>
Cc: "IETF Trade (E-mail)" <ietf-trade@lists.eListX.com>
When someone signs something, I would imagine that he/she would
be looking at some sort of visual contract at the time.  Ideally,
one would want to sign enough of the "presentation mechanism" to
be able to re-create as closely as possible the appearance of
that contract later (perhaps for legal purposes).

Stylesheets provides an excellent way of capturing the presentation
of XML-encoded data.  It would seem to me that many applications
might want to consider using XSL for this purpose and would then
sign the XSL use to present the XML data also being signed.

Of course, the visual appearance may be affected by other factors
such as the limitations of the browser (did that version process
the stylesheet properly?) and the physical device.
One would also have to make sure there could be no unresolved
external entities that could be disputed later
(eg. don't sign "&bank;", sign the value of
the entity, eg. "Bank of Bells Corners").

I don't recall if it has been mentioned yet on this archive
but our own Joseph Reagle has a recent paper entitled
"Eskimo Snow and Scottish Rain*:
Legal Considerations of Schema Design"
(see "http://www.w3.org/TR/md-policy-design").

Regards, Ed

-----Original Message-----
From: David Burdett [mailto:david.burdett@commerceone.com]
Sent: September 22, 1999 5:46 PM
To: Winchel 'Todd' Vincent, III; Andreas Siglreithmayr; W3c-Ietf-Xmldsig
Cc: IETF Trade (E-mail)
Subject: RE: How to sign several resources (XML and XSL)?

Following on from this I'm wondering what people's views are on signing an
XML document that is primarily an XML representation of a data structure
that is defined in a specification that is widely and publically available.

The XML document, in it's native form is readable but not easily
understandable. A style sheet would make the document easier to understand
but is not required since the semantics of the document are defined in the
specification. However could use of a stylesheet then be construed as
altering the meaning of the XML document as far as a recipient is concerned.

I ask since this is what IOTP effectively does, it signs several parts of a
data structure (represented in XML) and then creates new data structures
from the orginal that are also digitally signed and, using additional
"endorsing" signatures, "binds" the new document back to the original.


-----Original Message-----
From: Winchel 'Todd' Vincent, III [mailto:winchel@mindspring.com]
Sent: Wednesday, September 22, 1999 1:43 AM
To: Andreas Siglreithmayr; W3c-Ietf-Xmldsig (E-mail)
Subject: Re: How to sign several resources (XML and XSL)?

> I think that if someone signs an XML-document, s/he would also have
>to sign the corresponding XSL file.


Other people on this list hold the very same opinion.  Indeed, as an
American lawyer, I believe there are very good legal reasons why *not*
signing the stylesheet might just get and XML document thrown out of court
if/when it were introduced into evidence.  Such a result would, of course,
make the technology much less valuable.

Thank you for your input.  I think having someone with a new and fresh
perspective helps to shed light on the simplicity and logic of the notion.
I wish others would see it so clearly.

Received on Wednesday, 22 September 1999 19:25:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:09:56 UTC