Re: RD Comments from Joseph M. Reagle Jr. on 1999-09-28 (w3c-ietf-xmldsig@w3.org from July to September 1999)

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Tue, 28 Sep 1999 17:42:11 -0400
To: <rdbrown@Globeset.com>
Cc: "'IETF/W3C XML-DSig WG'" <w3c-ietf-xmldsig@w3.org>
Message-Id: <3.0.5.32.19990928174211.009ffc40@localhost>

[Please provide the URI for the version of the document you are referring
to.]

Richard, thank you for your comments.

Resulting document is:

http://www.w3.org/Signature/Drafts/WD-xmldsig-requirements-991001.html

At 14:26 99/09/27 -0500, Richard D. Brown wrote:
 >TYPOS:
 >======
 >
 >page 1: "...,we have introduced changes that hopefully states..."
 >instead: "...,we have introduced changes that hopefully state..."

removed this section.

 >#2.1: "The specification must describe how to a sign..."
 >instead: "The specification must describe how to sign a..."

ok.

 >#2.2: "...Web resources are defined as any digital content content that..."
 >instead: "...Web resources are defined as any digital content that..."

ok.

 >OTHERS:
 >=======
 >
 >#2.3: Why sublist 2.3.1-2.3.2?

I feel they qualify what it means to be simple.

 >#2.3: "...via a strong one-way transformation."
 >note: A signature or authentication algorithm is not necessarily a one-way
 >function. It is a cryptographic algorithm whose strength primarily resides
 >in the secrecy of a key.

The secrecy of the key is moot if the transformation is easily reversable.
It doesn't say a one-way function (but transformation) and we avoided "via a
cryptographic transformation" to avoid precluding signature methods that
weren't cryptographic. (I'm not advocating them, but I don't see why the
specification MUST preclude them.)  But later in the formal definition, I do
use "one way function" which I've fixed. I'm happy to change this if others
things I should though (to cryptographic transformation).

 >#2.2.2: The formal description is quite confusing. among other things, R is
 >defined as a resource and then used for a request. 

Agreed! Now reads:

Comment: A more formal definition of a signed resource is below. The
notation is "definition(inputs):constraints" where definition evaluates as
true for the given inputs and specified constraints.

signed-resource(URI-of-resource, content, key, signature): (there was some
protocol message at a specific time such that "GET(URI-of-resource) =
content") AND (sign-doc(content, key, sig))

sign-doc(content, key, signature): signature is the value of a strong
one-way transformation over content and key that yields content
integrity/validity and/or key non-repudiability 

 >#2.6: "Applications are expected to normalize application specific
semantics
 >prior to handing data to a XML-signature application."
 >note: Why? It shall be sufficient to specify the canonicalizer to be used
by
 >the signature engine...

" ... or specify the necessary transformations for this process within the
signature."

 >#2.6/2.7: You refer to XML-signature application. Is that correct? Don't
you
 >think that we are referring to any XML application that makes use of the
XML
 >Signature Specification?

Yes, one could argue that XML-signature applications are a type of XML
application. But we do need to specify requirements over that type of
application, whereas we can't specify those requirements over all XML
applications. (I don't follow...?)

_________________________________________________________
Joseph Reagle Jr.   
Policy Analyst           mailto:reagle@w3.org
XML-Signature Co-Chair   http://w3.org/People/Reagle/

Received on Tuesday, 28 September 1999 17:42:23 UTC