Re: Interim Syntax & Processing Draft from Andreas Schmidt on 1999-12-08 (w3c-ietf-xmldsig@w3.org from October to December 1999)

From: Andreas Schmidt <aschmidt@darmstadt.gmd.de>
Date: Wed, 08 Dec 1999 09:47:30 +0100
To: dee3@us.ibm.com
CC: w3c-ietf-xmldsig@w3.org
Message-ID: <384E1B22.E28FAD3E@darmstadt.gmd.de>

A few quick comments on location in ObjectReference:

Sec. 2.2.3

> This identification, along with the transforms, are a
> description provided by the signer on
> how to obtain the signed resource in the form it was
> digested (i.e. the digested content).
> The verifier (i.e., relying party) may obtain the
> digested content in another method so long
> as the digest verifies. In particular, the verifier
> may obtain the content from a different
> location (particularly a local store) other
> than that specified in the URI/IDREF.

and Sec. 3.3.3

> The digest algorithm is applied to the data octets
> being secured. Typically that is doe
> by locating  (possibly using the URI/IDREF if
> provided) the data and transforming it.

This seems to essentially codify 'location as a hint'. I have a slightly bad
feeling about this for the following reason: URI (URL/URN) have a well-defined
semantics given by the respective RFC and in the case of IDREF even by basic
XML. To introduce 'location as a hint' conflicts with these meanings by
introducing a little ambiguity to them.

Since the necessity for allowing application-specific locating of signed
content is rather clear, I see no _really_good_ solution to this other than the
- maybe trivial - to be explicit and have another name for the attribute
indicating location in this case (admittedly hint="..." sounds quite strange).

Sec. 3.3.3

> Note that a null URI (URI="") is permitted and
> identifies the parent document.

Contrary to my own saying above, I regard the empty URI as a very elegant
solution for this (exceptional) case. There should be a description of how to
proceed with this case in the processing rules stating that the signature (or
relevant parts of it) have to be omitted for digesting to avoid self-reference.

Andreas
--------------------------------------------------------------------
Dr. Andreas U. Schmidt, Dept. SIT | mailto:aschmidt@darmstadt.gmd.de
GMD German National Research      | phone :+49-6151-869-712
Center for Information Technology | fax   :+49-6151-869-704
--------------------------------------------------------------------

Received on Wednesday, 8 December 1999 03:47:33 UTC