Who cares what MUST be signed? (was Locations...) from Daniel LaLiberte on 1999-12-01 (w3c-ietf-xmldsig@w3.org from October to December 1999)

From: Daniel LaLiberte <liberte@w3.org>
Date: Wed, 1 Dec 1999 10:55:06 -0500 (EST)
To: Mark Bartel <mbartel@thistle.ca>
Cc: w3c-ietf-xmldsig@w3.org
Message-ID: <14405.17626.275915.77323@alceste.w3.org>

Mark Bartel writes:
 > 2. The signer of the document, not the verifier, determines what is
 > important to be signed.
 > 
 > I disagree with this.  I think both the signer and the verifier do this
 > determination.  It depends on the nature of the interaction.  I submit the
 > following points:

I agree with Mark, for the reasons stated.  This issue seems
fundamentally important to the goals and requirements of signatures and
until this is worked out, there are likely to be misunderstandings and
disagreements elsewhere, as is evident from the discussions of the past
several weeks.

To reiterate, it seems that it is ONLY the verifier that cares what is
signed.  When does the signer really WANT to sign something except to
satisfy the needs of verifiers.  What advanatage does the signer have?
A signature seems to only obligate the signer.

I'll leave open the possibility that there is some advantage for the
signer, regardless of the needs of verifiers, but I can't think of any
right now.  Please provide some examples to inform this discussion.

 > a) The signer cares that *sufficient* information is signed.

...sufficient for the purposes of satisfying the needs of the verifier.

 > b) The verifier only cares that the information relevant to it is signed.
 > c) If the verifier chooses to ignore signed information, that doesn't change
 > the assertion that the signer made.

Right.

 > d) If the signer is making an assertion intended to have legal force (which
 > will frequently not be the case), they will be concerned that information
 > that they are *not* asserting is *not* signed.

Right.

 > If location is signed, the document is moved, and the verifier doesn't care,
 > that doesn't change the assertion that the signer made.  This is points a),
 > b), and c).
 > 
 > And since it doesn't particularly matter where the bits come from, I would
 > say that we should specify the signed location to mean that "this is where
 > the resource was when I signed it" and nothing more.  Therefore d) would not
 > be an issue.  I don't think it is reasonable for the assertion to be "this
 > is where the resource will be for all time".  If the verifying application
 > requires that the resource be at the original location, it can do that check
 > itself.  It seems to me that this is a lot like requiring an original of a
 > contract rather than a photocopy; it is the recipient for which this
 > matters.  Sometime an organization will accept a copy, sometimes it won't.

-- 
Daniel LaLiberte
liberte@w3.org

Received on Wednesday, 1 December 1999 10:55:08 UTC