- From: Barb Fox <bfox@Exchange.Microsoft.com>
- Date: Mon, 5 Jun 2000 14:39:29 -0700
- To: "Joseph M. Reagle Jr." <reagle@w3.org>, <tgindin@us.ibm.com>
- Cc: <w3c-ietf-xmldsig@w3.org>
- Message-ID: <96BABA22ECEAEA45B53D08D63E1B567826F15E@DF-SPIKE.platinum.corp.microsoft.com>
Joseph and Tom: Sorry, but I strongly believe that this manually signed digest signature type is a huge mistake for this working group to even consider. The focus of the working group and its charter from inception has been digital signature in the cryptographic context. Adding this "interpretation" of signature opens to door to all kinds of random definitions and it seriously dilutes the work we've done so far. --Barbara Fox -----Original Message----- From: Joseph M. Reagle Jr. [mailto:reagle@w3.org] Sent: Monday, June 05, 2000 1:55 PM To: tgindin@us.ibm.com Cc: w3c-ietf-xmldsig@w3.org Subject: Re: Manually Signed Digest as an XML signature type At 07:31 PM 5/31/00 -0400, tgindin@us.ibm.com wrote: > Is there any point in the current draft which would need to be changed >to make allowances for someone to define a "manually verifiable" signature >technique in this connection? I hope not. The intent of the design is to permit externally defined signature techniques and not become a repository for all signature profiles. >1 A new value for SignatureMethod "manuallySignedDigest". This value >for SignatureMethod implies that the SignatureValue itself consists of the >base 64 encoding of the message digest and is not signed. This method's >main parameter is a reference to a SignatureProperty containing the manual >signature. It might also accept a parameter giving the data type of the >manual signature. > >2 The manual signature itself, in a SignatureProperty. This manual >signature should contain a voice recording, transcribed signature, or the >like which is performed by the user (signed with handwriting or spoken) and >in which the user him/herself records the message digest. If I was designing this application, my initial though would've been to place this data in KeyInfo: "KeyInfo is an optional element that enables the recipient(s) to obtain the key(s) needed to validate the signature." "Additional information items concerning the generation of the signature(s) can be placed in a SignatureProperty element." My own distinction between these two things is that KeyInfo is the information necessary to procedurally generate/confirm the SignatureValue octets and any of its metadata (like a signed cert); SignatureProperties is other data relevant to application/trust decisions about the assuredness/trustworthiness of that SignatureValue. If others agree, we could try to make this clearer... _________________________________________________________ Joseph Reagle Jr. W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/People/Reagle/
Received on Monday, 5 June 2000 18:08:29 UTC