- From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
- Date: Thu, 05 Jul 2001 08:17:52 -0400
- To: Amir Herzberg <AMIR@newgenpay.com>
- cc: "Dsig (E-mail)" <w3c-ietf-xmldsig@w3.org>
Hi Amir, This seems like the beginning of a never ending series of special fields to give you a clue about the data. I think all of this should be in the URI. You say that URI's "refer to a resource which may change over time". But that isn't necessarily true. For your suggested special proposed DT field to be of any use, there must be a mechanism for retrieving the data with "name" & "DT". So why not just say something like "mechanism:name?DT" ? URI's are supposed to provide a Uniform Resouce Identifier to all resources of arbitrary specificity or generality. Most implementations of http just stuff query parameters into environment variables or some assoicative array and ignore any extra/unknown varaibles anyway. I just tried appending "?DT='2001-07-04T17:49:04T' to the URIs for a variety of well know web sites including both www.w3.org and www.ietf.org and they all worked fine, ignoring this additiona info. But even it that broke the average web site, in your case you apparently have some mechanism that wants to see the date and time so it should be implemented to anticiapte, at least optionally, the presence of such a query parameter. It would certainly be reasonable to throw in a sentence suggesting this technique in the XMLDSIG write-up. Something like "Systems which need additional information to specify the precise data signed, such as date and time, geographic location of creation, name of author, etc., can be designed to provide such information as query parameters to the Reference URI." Thanks, Donald From: Amir Herzberg <AMIR@newgenpay.com> Message-ID: <078EE8822DCFD411AAA1000629D56ADC0B7D37@IMP01> To: "Dsig (E-mail)" <w3c-ietf-xmldsig@w3.org> Date: Thu, 5 Jul 2001 13:39:47 +0300 >Hi, > >I know this is late to propose any additions. However, while working on >protocol for secure transport of XML messages, I came upon the requirement >to refer from one message to another - specifying the time. Thinking more >about it I realized that many references to external data may need to >identify the specific time of the reference. The reference currently >identifies the data by URI, but URIs specifically do _not_ identify the time >- they refer to a resource which may change over time. But when we hash and >sign a resource, of course we must identify the exact version of it, and >time is one of the best ways to do so. > >My prefered solution is to add to Reference an optional element to contain >the time at which the reference was made, e.g. <Reference URI=`uri` DT=' >2001-07-04T17:49:04T'> > >(I like to call it DT, for Date & Time, simply because it's the convention >of IFX and OFX; but of course any other approriate attribute name e.g. Time >is fine by me) > >Notice this is different from the time of computing the signature itself, as >a signature may often contain references to resources using their values at >previous time. I know that the issue of indicating the time of computing the >signature was addressed in the recommendation, and an application `... may >include such information in a SignatureProperties element within an Object >element.`. But this is the time of computing the (entire) signature, not the >time at which the contents of the Reference were `frozen` (and later hashed >to DigestValue). > >Best regards, >Amir Herzberg >CTO, NewGenPay Inc. >http://www.newgenpay.com/Amir/Herzberg.htm >SMS (urgent only!): _subject_ of email to aherzberg@walla.co.il >
Received on Thursday, 5 July 2001 08:19:12 UTC