Re: RetrievalMethod issues from merlin on 2000-10-11 (w3c-ietf-xmldsig@w3.org from October to December 2000)

From: merlin <merlin@baltimore.ie>
Date: Wed, 11 Oct 2000 12:13:52 +0100
To: "Joseph M. Reagle Jr." <reagle@w3.org>
Cc: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Message-Id: <E13jJpY-0005B0-00@yog-sothoth>

r/reagle@w3.org/2000.10.10/14:39:42
>Right, it is describe in 4.4
>http://www.w3.org/Signature/Drafts/WD-xmldsig-core-latest/#sec-KeyInfo

I guess it would help if I could read ;}

>> If the result of the dereference and transformation is a node set,[ and the
>> RetrievalMethod Type is one of the types defined in this document,] then the
>> node set is processed as if it were canonicalized and retrieved as a raw
>> octet stream.
>
>Hrmm... I think I prefer to err on the side of making the RetrievalMethod 
>author include a specific c14n in the transform.
>
>Ok, new text:
>
>4.4 The KeyInfo Element
>.... The following list summarizes the KeyInfo types defined by this 
>specification; these can be used within the RetrievalMethod Type attribute 
>to describe the remote KeyInfo structure as represented as an octect stream.
>
>4.4.3 The RetrievalMethod Element
>.... RetrievalMethod uses the same syntax and dereferencing behavior as 
>Reference's URI (section 4.3.3.1) and The Reference Processing Model 
>(section 4.3.3.2) except that there is no DigestMethod or DigestValue child 
>elements and presence of the URI is mandatory. Note, if the result of 
>dereferencing and transforming the specified URI  is a node set, then it may 
>need to be to be canonicalized.All of the KeyInfo types defined by this 
>specification (section 4.4) require octets, consequently the Signature 
>application is expected to attempt to canonicalize the nodeset via the The 
>Reference Processing Model (section 4.3.3.2)

If this language is open to my processor NOT performing the c14n,
I'm fine with it.

Specifically, I would typically expect to see:

  <RetrievalMethod URI="#foo" Type="&dsig;X509Data" />

In this case, I can observe that this is a reference to a (comment-free)
element with its children, and I can observe that there are no transforms,
so I can efficiently parse the key info straight from the node set without
performing a c14n/parse step. The important thing is that the effect is
the same as if it were canonicalized and parsed out of the resulting octet
stream which is what I was trying to say.

Merlin

Received on Wednesday, 11 October 2000 07:15:26 UTC