RE: Detached Signatures Vs Detached Objects

It seems that your third case (remote document / remote signature) can be
handled outside the dsig spec, with an outer document that refers to either:
a) the remote document with an embedded signature
b) the remote document and a detached signature
 
Note that this outer document could be signed independently, if desired.
 
-Greg
 
 -----Original Message-----
From: Prince, Adam [mailto:adam.prince@scala.se]
Sent: Wednesday, November 24, 1999 9:31 AM
To: dee3@torque.pothole.com; reagle@w3.org; dsolo@alum.mit.edu
Cc: w3c-ietf-xmldsig@w3.org
Subject: Detached Signatures Vs Detached Objects



The current XML-sig working draft (
http://www.w3.org/TR/1999/WD-xmldsig-core-19991119
<http://www.w3.org/TR/1999/WD-xmldsig-core-19991119> ) covers both the case
when the signature and the source are within the same document (embedded
signatures) and when the signature is sent with a reference to a separately
located source (so called "detached signature").  There is a third case, not
yet covered when the XML signed message refers to two separate locations,
one is where the source is located (ObjectReference) and a second that
points to where the signature are located (I propose this is called
SignatureReference).
 
This would be of use if I prepared a XML message that cross-referred to a
trusted document storage system where the most recent version of the
cross-referred document had a static (and importantly guaranteed) location.
For example, a library of reference documents, polices & procedures may
exist /library/trusted-references/standards.htm.  Over time new versions of
the referenced document would be created, hence digest values and signatures
will change.  I might wish to create a cross-reference to the location of
the most recent version of the document.  Under the current proposals I can
refer to a "detached signature" which contains both the document and digest
value(s) (to me this is actually a detached source), but not to the
signature itself.
 
To paraphrase I foresee cases where I wish to provide signed reference to
the most recent version of a document, not just the current version of a
document.  I cannot see any mechanism to do this within the current working
draft.
 
<Question> Does anyone else foresee any use in providing the ability to
provide within an XML-signed document the reference to both a remote source
and a remote signature?  </Question>  Please respond to the working draft
authors or the discussion group, not just to me :-)
 
There is, I acknowledge one problem with the above scenario in that when I
refer to a remote signature I am creating a "web of trust", if the
maintainer of the signature later becomes untrustworthy this cannot be
determined.  This is where the only solutions I can think of become messy,
in addition to other information, the remotely stored signature (what I call
the detached signature) needs to be signed in a way that can be verified
from information provided in the initial XML-sig message.
 
Regards
 
Adam
 

----------------------------------------------------------

The options expressed in this communication are those of the sender.  They
may or may not reflect the opinions of Scala Business Solutions N.V.

Contact Details: 
*(Office)       +46 8 601 1300 
* (mobile)        +46 709 608 666 
*(fax)            +46 8 718 4751 
"(web)            <http://www.scala.se/> http://www.scala.se 
* (e-mail)      <mailto:adam.prince@scala.se> adam.prince@scala.se 
* (snail-mail)  PO Box 104, SE-131 07 Nacka, Sweden