XML Processing in Current Implementations

In light of our recommending {Only What is "Seen" Should be Signed} AND
{"See" What is Signed} I have a question now that we have some more
implementation experience. When the document [1] below is signed, what is
Signed? If a PI references a style sheet, this could change the meaning of
the document being signed, is this change also signed?

1. If the document has Canonical XML applied, is the Infoset availble
through DOM/SAX that of the example XML instance with a PI Infoset node, or
the resulting (transformed) instance? If the infoset includes the changes,
we can easily satisfy the security requirements above be recommending
2. Otherwise, we'd have to recommend that 'http://foo.example.com/bar.xslt'
also be included in a Signature Reference if we  want to get bit by having
foo.example.com changing the stylesheet to affect the result after the

[1] Example (where bar.xslt changes the total amount value)
<?xml-stylesheet type="text/xml" href="http://foo.example.com/bar.xslt"?>
<html xsl:version="1.0"
    <title>Expense Report Summary</title>
    <p>Total Amount: 5</p>

Joseph Reagle Jr.   
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/

Received on Friday, 28 July 2000 14:45:22 UTC