Re: Signatures draft from Joseph M. Reagle Jr. on 2000-02-14 (w3c-ietf-xmldsig@w3.org from January to March 2000)

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Mon, 14 Feb 2000 12:35:12 -0500
To: "John Messing" <jmessing@law-on-line.com>
Cc: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Message-Id: <3.0.5.32.20000214123512.0092bc70@localhost>

Since XML and RDF are explicitly designed to do data and resource
description, we do not specify much of our own. Instead we expect others to
design such applications in XML/RDF, over/with which our signatures will
orthogonally operate. However, we do provide the following element:

  5.2 The SignatureProperties Element

   Additional information items concerning the generation of the
   signature(s) can be placed in a SignatureProperty element (i.e.,
   date/time stamp or the serial number of cryptographic hardware used in
   signature generation.)

http://www.w3.org/TR/2000/WD-xmldsig-core-20000208/#sec-SignatureProperties

Signature validating applications have no obligation to understand the
content within this element, they are only REQUIRED to process core
validation [1] with respect to the simple semantic  "XML Signatures provide
integrity, message authentication, and/or signer authentication services for
data of any type, whether located within the XML that includes the signature
or elsewhere." That's it.

[1] http://www.w3.org/TR/2000/WD-xmldsig-core-20000208/#def-ValidationCore

However, this element provides one (of many) places one could place an
assertion about a signature, such as a timestamp, hardware profile, or
semantic extension. For instance, one could assert within a
SignatureProperty that the containing signature means "authored by." Again,
while the signing application should be very careful about what it signs (it
should understand what is in the SignatureProperty) a receiving application
has no obligation to understand that semantic (though its parent trust
engine may wish to).

This isn't very well explained in the present spec, though I think the text
above does capture the sentiment expressed by the WG.

Consequently I propose adding similar text (unless someone thinks I got it
wrong, which is a very real possibility.)

At 07:36 00/02/13 -0700, John Messing wrote:
 >I am a chair of the Signatures Workgroup of legal XML, but this note is
 >simply submitted as my personal comment pending a decision by our group on
 >whether to submit a group position.
 >
 >I believe it might be helpful to add an optional element for "other
 >signature data" to the standard. At the last RSA Data Security Conference,
 >several vendors independently and in one cases jointly, introduced the
 >concept of a policy manager (not always called by that name), which is a
 >mechanism for adding information to a document to be signed about the
 >authority of the signer to commit an enterprise or other legal or natural
 >person to a transaction. Such information does not appear in the ordinary
 >X-509 certificate extensions and is delegated to a policy manager, in my
 >understanding, in order to supplement the X-509 certificate extensions
 >information without having to go to a second round of authority certs. By
 >having a convenient placeholder in the standard, this information will
 >conveniently have a tag associated with it, if the applications software
 >employs such a mechanism.
 >
 >As I am not on your group's mailing list, I respectfully request you to
post
 >this in the appropriate place. Thank you.
 >
 >John Messing
 >Law-on-Line, Inc.
 >1661 N. Swan Rd., Suite 312
 >Tucson, AZ 85712
 >(520)327-7750
 >jmessing@law-on-line.com
 >

_________________________________________________________
Joseph Reagle Jr.   
Policy Analyst           mailto:reagle@w3.org
XML-Signature Co-Chair   http://www.w3.org/People/Reagle/

Received on Monday, 14 February 2000 12:35:17 UTC