- From: John Boyer <jboyer@uwi.com>
- Date: Wed, 17 Nov 1999 14:57:21 -0800
- To: "Peter Lipp" <Peter.Lipp@iaik.at>, "Marc Branchaud" <marcnarc@xcert.com>, "DSig Group" <w3c-ietf-xmldsig@w3.org>
It can't be just hint as long as our core signature validation rules state that the DigestValue of an ObjectReference in SignedInfo must be validated. Furthermore, we must have signatures that validate the DigestValue of an ObjectReference because this is the actual data that the signer wanted to sign. Yes, we need to sign certain parts of SignedInfo for security reasons, but this whole two step is irrelevant to the signer. They want to sign the bucket of bytes indicated by ObjectReference, and if core behavior does not sign that bucket of bytes, then core behavior does not perform digital signatures as they are defined in our industry. John Boyer Software Development Manager UWI.Com -- The Internet Forms Company -----Original Message----- From: w3c-ietf-xmldsig-request@w3.org [mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of Peter Lipp Sent: Wednesday, November 17, 1999 12:59 PM To: Marc Branchaud; DSig Group Subject: AW: Omitting Location and Transforms from SignedInfo > I _really_ think the last option is the right direction: I agree. I strongly believe that the location is a hint at most, will rarely be necessary (still waiting for objections here folks :-) and if the location is kind of an "authenticated attribute" then it really belongs to the data being signed. Peter
Received on Wednesday, 17 November 1999 17:58:42 UTC