XSL is an XML format, so we haven't excluded signature of XSL, have we? Also,
I'm aware of the W3C recommendation at
http://www.w3.org/TR/xml-stylesheet/
that ties a stylesheet to an XML document. However, a processing instruction is
used for this purpose, and we have proposed elimination of PI from our c14n. I
believe this needs to be revisited. Applications will definitely want the
option to locate and sign an associated stylesheet. IMO, It is not for us to
judge whether or not this makes sense to the application just because our
committee(s) can't guarantee a trusted browser. The level of trust required is
up to the application (they may restrict their application to specific signed
and trusted browsers, they may certify their application for specific common
browsers, etc.)
Rich
____________________Reply Separator____________________
Subject: Re: How to sign several resources (XML and XSL)?
Author: "Milton M. Anderson" <miltonma@gte.net>
Date: 9/23/99 7:44 AM
-----Original Message-----
From: David Burdett <david.burdett@commerceone.com>
Date: Wednesday, September 22, 1999 11:39 PM
Subject: RE: How to sign several resources (XML and XSL)?
>... otherwise how do you know the context for the XML data?
>
>You know the context because interpretation of the XML data is being done
by
>software from a presumably reliable source to do the interpretation that is
>built according to a specification that describes the semantics of data
>
>... I now feel that we're getting very close to the topic of "trusted"
>applications and I'm not sure we want to go there ...
Even if XSL is signed, you still have to assume a "trusted" browser.
It's impossible not to go there...
Milt