- From: EKR <ekr@rtfm.com>
- Date: 27 Mar 2000 23:06:41 -0800
- To: "Joseph M. Reagle Jr." <reagle@w3.org>
- Cc: Ed Simon <ed.simon@entrust.com>, w3c-ietf-xmldsig@w3.org
"Joseph M. Reagle Jr." <reagle@w3.org> writes: > http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0226.html > You can't do enveloped or partial documents signatures really without > operating in the XML as XML paradigm, if that frightens you from a > security point of view, use detached. (Or see Phil's comment: > http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0246.html I don't read Phill's comment this way at all. Rather, as I read it, Phill was describing how to adapt an XML as object tree implementation to do signatures over character strings by treating the signed data as an opaque string. I understood him to be arguing for what you're calling an "XML as character string" representation. Phil, do I have you right? FWIW, I'm extremely uncomfortable with the idea of requiring full C14N. It moves the trust boundary uncomfortably far away from the signature module. Doing partial decomposition as Phill describes is standard practice in the ASN.1 community and I don't see why it should be any more difficult in XML. If it is, then the problem is bad tool design, IMHO. -Ekr -- [Eric Rescorla ekr@rtfm.com] PureTLS - free SSLv3/TLS software for Java http://www.rtfm.com/puretls/
Received on Tuesday, 28 March 2000 02:05:35 UTC