Re: Semantics in signatures from Joseph M. Reagle Jr. on 2000-04-13 (w3c-ietf-xmldsig@w3.org from April to June 2000)

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Thu, 13 Apr 2000 15:20:50 -0400
To: Chris_Smithies@penop.com
Cc: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Message-Id: <3.0.5.32.20000413152050.00b16300@localhost>

At 13:35 00/04/12 +0100, Chris_Smithies@penop.com wrote:
 >2.1: It will be hard work to allow arbitrarily many signatures to be added
 >to a document using this approach. Subject to what John Boyer has to say,
 >it looks to me as if a document will need to be specially designed to allow
 >multiple signatures to be added.
 >
 >2.2: Information about the signature logically belongs with the signature.
 >Forensic examination of signatures will be complicated by the need to
 >consult a plurality of resources in different locations in order to
 >reconstruct the evidence of a single historical event.

I'm not arguing against SignatureProperty and I appreciate your points.
Actually, I think the question is more of "Information about the trust and
semantics logically belongs with the [signature/application]." It's just
that the examples I was thinking of, that information belongs to the
application in my use scenarios.  My proposal was only that as presently
specified, I think it appears that SigntureProperty is the only way to go,
and one independent reader of the spec came up with the other way that I'm
more comfortable with.

One sentence in section 2.2 might do the trick
It already says:
        Applications that wish to represent other semantics must rely upon
other 
        technologies, such as [XML, RDF]. 
And we could add:
        For instance, an application might use as foo:assuredby attribute 
        within its own markup to references a Signature element.
Consequently, 
        it's the application that must understand and know how to make trust 
        decisions given the validity of the signature and the meaning of 
        assurdby syntax.

 >3: It is not the application which defines the meaning of a signature. The
 >application can only define whether the signature _can have_ any semantics.
 >It is the intent of the signatory which determines what a signature
 >actually means. (For more on application semantics, see e.g.
 >http://www.uniroma3.it/kant/field/chinese.html.)

In my example, the application and the signer are the same (or at least both
are present at time of application XML and signature generation), though I
know this isn't always the case.

_________________________________________________________
Joseph Reagle Jr.   
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/

Received on Thursday, 13 April 2000 15:20:51 UTC