RE: AW: Re[2]: Omitting Location and Transforms from SignedIn from John Boyer on 1999-11-18 (w3c-ietf-xmldsig@w3.org from October to December 1999)

From: John Boyer <jboyer@uwi.com>
Date: Thu, 18 Nov 1999 09:15:15 -0800
To: <adam.prince@scala.se>, "'Peter Lipp'" <Peter.Lipp@iaik.at>, <rhimes@nmcourt.fed.us>, <w3c-ietf-xmldsig@w3.org>, <gwhitehead@signio.com>
Message-ID: <NDBBLAOMJKOFPMBCHJOIIEEICCAA.jboyer@uwi.com>

Your description is good, but it is already covered by the spec.  We are
haggling over how to support certain scenarios that aren't covered by the
spec.  We're not saying that Location will never be signed, we're just
saying that in some problems, it  is inconvenient (or unusable) to have it
signed.

John Boyer
Software Development Manager
UWI.Com -- The Internet Forms Company


-----Original Message-----
From: Adam Prince [mailto:adam.prince@scala.se]
Sent: Thursday, November 18, 1999 8:28 AM
To: 'Peter Lipp'; rhimes@nmcourt.fed.us; w3c-ietf-xmldsig@w3.org;
jboyer@uwi.com; gwhitehead@signio.com
Subject: RE: AW: Re[2]: Omitting Location and Transforms from SignedIn


sorry to jump in with probably two big feet but . . .

Within a business to business message stream an external reference is likely
to be found as a cross reference rather than just a signed statement "laying
around".  For example, if I sent a report to a client and cross-referred to
a relevant and significant external object (possibly on my home server or a
learned site such a W3C) I would wish to sign the cross-reference to prove
data integrity (i.e. the document I referred to is the same as the one you
follow my link to).  Likewise if I place a complex purchase order I might
cross-refer to a separate bill-of-material or design plan and wish to sign
that reference so that there can not be any later confusion as to which
version etc of the cross-referred object I meant (non-repudiation).  In both
cases I move from the signed reference to the object rather than the object
to the signature and in both cases the reference is significant as it may be
absolute (a complete uri) or relative (within a given web-site or Extranet).

Regards

Adam Prince

-----Original Message-----
From: Peter Lipp [mailto:Peter.Lipp@iaik.at]
Sent: 18 November 1999 17:12
To: rhimes@nmcourt.fed.us; w3c-ietf-xmldsig@w3.org; jboyer@uwi.com;
gwhitehead@signio.com
Subject: AW: AW: Re[2]: Omitting Location and Transforms from SignedIn
-------------<snip>---------------
> or at least we should allow for it.  Suppose I make a statement that "The
> document at www.xxx.com/PG is suitable reading for children".  I
This is fine, but I would rarely go and check your signature in such cases
if I did not want to know about www.xxx.com in the first place. If I happen
to find your signature laying around, I would not go off to check the page
out of curiosity if your signature verifies or not.

What I was aiming at was that the workflow would more often move from the
document to the signature than the other way round.

-------------<snip>---------------

Received on Thursday, 18 November 1999 12:16:48 UTC