- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Tue, 09 Nov 1999 10:04:29 -0500
- To: rhimes@nmcourt.fed.us
- Cc: <w3c-ietf-xmldsig@w3.org>, <aschmidt@darmstadt.gmd.de>, <reiner.huettl@munich.ixos.de>, <robert.frost@munich.ixos.de>, <connolly@w3.org>, <liberte@w3.org>, timbl@w3.org
At 17:20 99/11/08 -0700, rhimes@nmcourt.fed.us wrote: >Aren't we causing the problem that is "not ours to solve" by freezing these >values that will likely change? We didn't freeze them, they are frozen by definition: if someone uses a URL, that is an assertion that A: the content dereferenced at URL and transformed yields the following DigestValue. How do you make an assertion sans location semantics, such that: B: some object when found and transformed yields the following DigestValue ? I think this is a valid question. We have a requirement to identify objects via URIs. The URI need not be a URL. (In fact, I think the DigestValue is a good URI). We could relax that requirement and remove "Location" from the signature and only provide it as a resolution hint; or we permit a level of indirection pre/post signature creation. Pre: ObjectReference uses some mechanism such as a directory, URN, manifest etc. that provides resolution. Post: you allow a "redirect" or "cache" statement to be associated with the signature that states "the URI found in ObjectReference resolves to X" >>Z.a ObjectReference with Identifier/Location "http://2" yields content'' >>Z.b content==content'' > >I think this would be appropriate in some contexts where we need the detailed >audit trail of location changes, and it would be a nice option. It may be a bad >example, but (an example I just e-mailed, sorry for the dup) suppose I manage a >site with signed RDF statements about the documents on my site and I "dumbly" >used URLs to refer to them. Gigacorp buys my company and changes the domain to >www.gigacorp.com. I'd prefer to just correct the references than to add >thousands of RDF statements correcting each reference. Also, in my court filing >example where I am moving a document (base 64 PDF) from a delivery envelope to a >native PDF, I don't want the clutter (the standard needs to be less intrusive >IMO.) If the fact that those statements were found at www.gigacorp.com was not part of the semantics you wanted to be bound by (and I agree with Phillip that some people do want to assert this) I'd recommend using an IDREF as the URI of the resource that is digested, and the IDREF points to an object in the signature which includes "hints" for finding and resolving content. _________________________________________________________ Joseph Reagle Jr. Policy Analyst mailto:reagle@w3.org XML-Signature Co-Chair http://www.w3.org/People/Reagle/
Received on Tuesday, 9 November 1999 10:05:07 UTC