- From: by way of <Raghavan.Srinivas@East.Sun.COM>
- Date: Tue, 09 Nov 1999 22:48:32 -0500
- To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Hi:
Based on the ensuing discussions at the 46th IETF meeting I
tried to reflect on this problem.
There are at least two schools of thought.
1. Since the signature includes the objectreference, changing
the URL for the reference should render the signature invalid.
In an example quoted, the signature may probably
be applicable based on the contents of the URL (for
example some terms of agreement).
2. URLs can and will change and the way to override signature
becoming invalid is to escape the objectreference from
being included in the signature.
Why not effectively sign for the document and the contents
of the object reference, not the object reference itself?
This should address some of the issues of 1 & 2. i.e.
changing the URL is fine as long as the contents don't
change ...
Does this seem reasonable?
Thanks!
Rags
Resent-Date: Tue, 9 Nov 1999 11:15:44 -0500 (EST)
Resent-Message-Id: <199911091615.LAA22897@www19.w3.org>
From: rhimes@nmcourt.fed.us
To: <w3c-ietf-xmldsig@w3.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: "cc:Mail Note Part"
Subject: Re:AW: AW: ObjectReference shouldn't be signed, was RE: Loca
Resent-From: w3c-ietf-xmldsig@w3.org
X-Mailing-List: <w3c-ietf-xmldsig@w3.org> archive/latest/724
X-Loop: w3c-ietf-xmldsig@w3.org
Resent-Sender: w3c-ietf-xmldsig-request@w3.org
>>The simplest example is a changing URL.
>I know that example, but that happens so rarely that I would consider
it
>appropriate to resign.
Peter,
I don't think we should assume that there is one or a few signers of a
set of
documents under a URL domain, nor that the signers are readily available
for
re-signing. Also, URLs change frequently on the web. I suspect that
once we
have proliferation of XML signatures, the problem will be at least as
common.
Thanks,
Rich
Received on Tuesday, 9 November 1999 22:48:36 UTC