- From: <rhimes@nmcourt.fed.us>
- Date: Mon, 22 Nov 1999 15:46:53 -0700
- To: <w3c-ietf-xmldsig@w3.org>
John, >In general, arbitrary transforms should not be omitted from (or allowed >outside of) SignedInfo. Mark Bartel has a fine email that runs through an >example of why this is so. The way I read Mark's example, the output of the spoof transform would fail signature validation, so I'm still not convinced that signing transforms buys anything. Anything goes if we aren't validating. I view transforms (including c14n) as being very closely related to locations. Both are windows that allow us to see through to the signed bits. Those signed bits can be passed through new windows, but that's OK as long as you can specify a way (a new "path" of windows) to get back to them. Thanks, Rich
Received on Monday, 22 November 1999 17:57:56 UTC