- From: Peter Lipp <Peter.Lipp@iaik.at>
- Date: Tue, 25 Jan 2000 22:29:53 +0100
- To: "John Boyer" <jboyer@uwi.com>, <reagle@w3.org>
- Cc: "DSig Group" <w3c-ietf-xmldsig@w3.org>
- Message-ID: <NDBBLDEHJKOODMJCNBNCCEAGDCAA.Peter.Lipp@iaik.at>
>out his portion of the form, resulting in F'. When the signer signs, this >office-use-only section is blank, so when you follow the European >guidelines, you show him F' with blank office-use-only section. If the transform removes the office-use-only-section, I should'nt show it to the user as he is not going to sign it at all. He is also not going to sign the empty office-use-only-section. > However, if 'the office' were to go and white out some of what I > filled in, then that should break my signature on F'. Sure, but I still can't follow. whatever that might be that has been whitened out must be part of the signature anyway if it is important enough. So it should break even under my model. What I don't get is that something might fall out during the transform but still is important enough that the signature should fail if somebody removes or changes it before the transform. If it was that important, why does the transform remove it? > Yes, the XPath would allow more than one document to be > transformed down to the same message. This is a MAJOR PART OF THE POINT. This seems to contradict what you claim: you want the signature to fail if somebody fiddles with the text, but it is fine to have many different sources transform to the same finally signed document? And I would not allow the argument that a certified application doesn't do anything wrong so ..... To me this smells like an even bigger rathole. (I confess that I saw transforms as ratholes from the beginning, so it might be that my otherwise clear mind is fogged my rathole-smells and thus cannot follow your arguments clearly....) > section is OK. But I do know that if they make modifications outside of > that section, then they are up to no good. Great! But you can achive same behaviour anyway: the transform removes the section, and leaves the rest (the outside) which is secured by the signature. No need to go back to the source now. > This suggested solution seems to make no sense. If I have a referencable > copy of the original document, then I don't need transforms, so > putting both in a manifest is degenerately a non-solution. I can't follow. How could I apply transformations to the original document without having the original document? And if I have it I consider it referenceable - even if it might not work within manifest, put it into object or wherever. That's not the point I want to make. The generic problem I have is that to me this interpretation of use of transforms seems to be rather too application-specific. I might understand the need to adress parts of documents and that one want's to sign those, which can be seen as some general case. For this general case I don't see the need to bind the signature to the original, untransformed document. This seems to be application specific, and if one wants or needs to do so, one should see the original document as data, and the transform as data, which then can be signed and the certified application will understand the meaning of the signature. I understand the pure signature to just do what we said somewhere sometime: signer hat access to data at some point in time. Binding the untransformed data to the transform adds meaning to the signature, and that is not general enough in my little world..... Peter
Received on Tuesday, 25 January 2000 16:29:57 UTC