W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 1999

Re: RD Comments

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Tue, 28 Sep 1999 17:42:11 -0400
Message-Id: <>
To: <rdbrown@Globeset.com>
Cc: "'IETF/W3C XML-DSig WG'" <w3c-ietf-xmldsig@w3.org>
[Please provide the URI for the version of the document you are referring

Richard, thank you for your comments.

Resulting document is:


At 14:26 99/09/27 -0500, Richard D. Brown wrote:
 >page 1: "...,we have introduced changes that hopefully states..."
 >instead: "...,we have introduced changes that hopefully state..."

removed this section.

 >#2.1: "The specification must describe how to a sign..."
 >instead: "The specification must describe how to sign a..."


 >#2.2: "...Web resources are defined as any digital content content that..."
 >instead: "...Web resources are defined as any digital content that..."


 >#2.3: Why sublist 2.3.1-2.3.2?
I feel they qualify what it means to be simple.

 >#2.3: "...via a strong one-way transformation."
 >note: A signature or authentication algorithm is not necessarily a one-way
 >function. It is a cryptographic algorithm whose strength primarily resides
 >in the secrecy of a key.

The secrecy of the key is moot if the transformation is easily reversable.
It doesn't say a one-way function (but transformation) and we avoided "via a
cryptographic transformation" to avoid precluding signature methods that
weren't cryptographic. (I'm not advocating them, but I don't see why the
specification MUST preclude them.)  But later in the formal definition, I do
use "one way function" which I've fixed. I'm happy to change this if others
things I should though (to cryptographic transformation).

 >#2.2.2: The formal description is quite confusing. among other things, R is
 >defined as a resource and then used for a request. 

Agreed! Now reads:

Comment: A more formal definition of a signed resource is below. The
notation is "definition(inputs):constraints" where definition evaluates as
true for the given inputs and specified constraints.

signed-resource(URI-of-resource, content, key, signature): (there was some
protocol message at a specific time such that "GET(URI-of-resource) =
content") AND (sign-doc(content, key, sig))

sign-doc(content, key, signature): signature is the value of a strong
one-way transformation over content and key that yields content
integrity/validity and/or key non-repudiability 

 >#2.6: "Applications are expected to normalize application specific
 >prior to handing data to a XML-signature application."
 >note: Why? It shall be sufficient to specify the canonicalizer to be used
 >the signature engine...

" ... or specify the necessary transformations for this process within the

 >#2.6/2.7: You refer to XML-signature application. Is that correct? Don't
 >think that we are referring to any XML application that makes use of the
 >Signature Specification?

Yes, one could argue that XML-signature applications are a type of XML
application. But we do need to specify requirements over that type of
application, whereas we can't specify those requirements over all XML
applications. (I don't follow...?)

Joseph Reagle Jr.   
Policy Analyst           mailto:reagle@w3.org
XML-Signature Co-Chair   http://w3.org/People/Reagle/
Received on Tuesday, 28 September 1999 17:42:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:09:56 UTC