- From: merlin <merlin@baltimore.ie>
- Date: Wed, 15 Nov 2000 09:54:19 +0000
- To: w3c-ietf-xmldsig@w3.org, Ken Goldman <kgold@watson.ibm.com>
Hi, I think that most XMLDSIG implementations (certainly ours) accept contextual information as a parameter to the signing/verification process. The resolution of an implicit reference (URI or node set) is part of this contextual information. Other relevant contextual information is a base URI against which to resolve relative references, a security context in which to resolve keying information, etc. I think you will find that an external "reference resolver" is a fairly typical form for this part of the contextual information. Applications can configure and/or implement this resolver as appropriate for their needs; specifying, in particular, how to resolve implicit references. Merlin r/kgold@watson.ibm.com/2000.11.08/16:51:15 >Now that I'm clear on what a Reference without a URI does, here's what >I was trying to ask in #2 and #3. > >A generic DSIG verifier would presumably be passed a document and >would come back with a pass/fail result. When this generic code came >across a Reference without a URI, it would have no way to follow the >Reference, no way to verify the hash, and therefore no way to verify >the signature. The application would have no way to pass in a URI >parameter or octets. > >I suspect a similar problem with a signer. > >This is based on my guess on how a signer/verifier would work. I'd >like to hear opinions from people who have implemented, or plan to >implement, a DSIG signer or verifier. Do you plan to handle a >Reference without a URI attribute?
Received on Wednesday, 15 November 2000 04:55:19 UTC