- From: John Boyer <jboyer@uwi.com>
- Date: Thu, 28 Oct 1999 15:08:31 -0700
- To: "Jim Schaad (Exchange)" <jimsch@EXCHANGE.MICROSOFT.com>, "W3c-Ietf-Xmldsig (E-mail)" <w3c-ietf-xmldsig@w3.org>
Finding the signed items again is precisely the point of XPath and similar transforms. When I have a document that must be signed several times and possibly modified by a workflow, exclusive or omission logic can still be used. The list of things to omit from a signature (specified by an XPath for example) is the list of things that the signature permits to be changed within the document (e.g. by addition of more signatures, more enclosures, or other workflow activities). This is the essence of all those emails about Document Closure that are in the archive. So what is the problem with using Location="" to indicate 'this' document? If someone indicates 'this' document but no transforms specify allowable changes, then it *should* be the case that the signature breaks since the default *should* be that no changes are allowable. The important thing here is to look at XPath not only as an element exclusion tool but as a tool that allows someone to say what can still be changed after the signature is created. If Signature1 omits Signature2 and Signature 3, then Signature2 and Signature3 are precisely what can be added later. If somone adds Image2 or Image3, then Signature1 should break. Thanks, John Boyer Software Development Manager UWI.Com -- The Internet Forms Company -----Original Message----- From: w3c-ietf-xmldsig-request@w3.org [mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of Jim Schaad (Exchange) Sent: Thursday, October 28, 1999 2:49 PM To: W3c-Ietf-Xmldsig (E-mail) Subject: Location="" The use of Location="" to refer to the entire document appears to me to be potentially troublesome in work flow applications. When one starts including or moving forward signed documents, add other items (including other signatures) and so forth. Using Location="" to refer to the containing document has now rather drastically changed its meaning and its not clear that the same set of items can be found again except potentially by explicit inclusion (rather than exclusion). I assume that when this statement is made that the omission of the Location element is absent that it is equivalent to <Location HREF="">. While I agree that it would be nice to be able to refernce the containing document by some simple and identifiable expression I don't believe that Location="" should potentially be that expression. I would like to reserve this for a different reference, specifcally the object contained within the Signature element. I believe that a large number of protocal messages will be built with the data being signed (a single item) being included in the Object of the Signature. These are the message that I am most worried about size for, and would therefore like to be able to omit the Location reference and still have it well understood what the location of the object is suppose to be. It seems to me that we potentially need a couple of different types of "labels" that are distinct within the location. Specifically would be "this is a URI of one type" and "You (the application) know what this is really suppose to be, find it for me" are two that spring to mind. Potentially the root of the document could be represented as <Location DOC/>. jim
Received on Thursday, 28 October 1999 18:08:32 UTC