- From: Reiner Hüttl <reiner.huettl@ixos.de>
- Date: Mon, 27 Mar 2000 19:32:27 +0200
- To: "'w3c-ietf-xmldsig@w3.org'" <w3c-ietf-xmldsig@w3.org>
digital signatures can only get legal value if you can proof that what you have signed is what you have seen. For that reason there exist applications which uses a certified viewer. XML will be viewed in most applications by standard web-browsers which will probably display a XML-document with some distinctions. If you later want to verify what has been displayed to the signer you have to know which browser he has used. The problem is more serious if you regard XML-documents containing object references containing nondeterministic behaviour. e.g. a XML document can reference a XSL-object containing Java Script Code. If the Script Code includes instructions which are dependent of document-external parameters (e.g. browser type, system parameters, etc) you get a problem. It is unreproducible what the user has seen at the signing time only by verifying the data of the XML-source and all object-references. What are the consequences ? Only accept restricted XML-documents (e.g. no JAVA script) or only use certified XML-viewers instead of standard web-browsers ? Is this compatible with the claim to get a signature standard for XML. > ----------------------------------------------------------- > Dr. Reiner Hüttl > Project Manager > Innovation > > IXOS SOFTWARE AG > Technopark Neukeferloh > Bretonischer Ring 12 > D-85630 Grasbrunn/München > Phone: +49.(0)89.4629.1348 > Fax: +49.(0)89.4629.33.1348 > World Wide Web: http://www.ixos.com/deutschland > E-Mail: reiner.huettl@ixos.de > > >
Received on Monday, 27 March 2000 12:32:30 UTC