- From: Ed Simon <ed.simon@entrust.com>
- Date: Wed, 22 Sep 1999 19:26:56 -0400
- To: "'David Burdett'" <david.burdett@commerceone.com>, "W3c-Ietf-Xmldsig (E-mail)" <w3c-ietf-xmldsig@w3.org>
- Cc: "IETF Trade (E-mail)" <ietf-trade@lists.eListX.com>
When someone signs something, I would imagine that he/she would be looking at some sort of visual contract at the time. Ideally, one would want to sign enough of the "presentation mechanism" to be able to re-create as closely as possible the appearance of that contract later (perhaps for legal purposes). Stylesheets provides an excellent way of capturing the presentation of XML-encoded data. It would seem to me that many applications might want to consider using XSL for this purpose and would then sign the XSL use to present the XML data also being signed. Of course, the visual appearance may be affected by other factors such as the limitations of the browser (did that version process the stylesheet properly?) and the physical device. One would also have to make sure there could be no unresolved external entities that could be disputed later (eg. don't sign "&bank;", sign the value of the entity, eg. "Bank of Bells Corners"). I don't recall if it has been mentioned yet on this archive but our own Joseph Reagle has a recent paper entitled "Eskimo Snow and Scottish Rain*: Legal Considerations of Schema Design" (see "http://www.w3.org/TR/md-policy-design"). Regards, Ed -----Original Message----- From: David Burdett [mailto:david.burdett@commerceone.com] Sent: September 22, 1999 5:46 PM To: Winchel 'Todd' Vincent, III; Andreas Siglreithmayr; W3c-Ietf-Xmldsig (E-mail) Cc: IETF Trade (E-mail) Subject: RE: How to sign several resources (XML and XSL)? Following on from this I'm wondering what people's views are on signing an XML document that is primarily an XML representation of a data structure that is defined in a specification that is widely and publically available. The XML document, in it's native form is readable but not easily understandable. A style sheet would make the document easier to understand but is not required since the semantics of the document are defined in the specification. However could use of a stylesheet then be construed as altering the meaning of the XML document as far as a recipient is concerned. I ask since this is what IOTP effectively does, it signs several parts of a data structure (represented in XML) and then creates new data structures from the orginal that are also digitally signed and, using additional "endorsing" signatures, "binds" the new document back to the original. David -----Original Message----- From: Winchel 'Todd' Vincent, III [mailto:winchel@mindspring.com] Sent: Wednesday, September 22, 1999 1:43 AM To: Andreas Siglreithmayr; W3c-Ietf-Xmldsig (E-mail) Subject: Re: How to sign several resources (XML and XSL)? > > I think that if someone signs an XML-document, s/he would also have >to sign the corresponding XSL file. Andreas: Other people on this list hold the very same opinion. Indeed, as an American lawyer, I believe there are very good legal reasons why *not* signing the stylesheet might just get and XML document thrown out of court if/when it were introduced into evidence. Such a result would, of course, make the technology much less valuable. Thank you for your input. I think having someone with a new and fresh perspective helps to shed light on the simplicity and logic of the notion. I wish others would see it so clearly. Todd
Received on Wednesday, 22 September 1999 19:25:24 UTC