Re: DateTime (DT) attribute in Reference

Hi Amir,

This seems like the beginning of a never ending series of special
fields to give you a clue about the data. I think all of this should
be in the URI.  You say that URI's "refer to a resource which may
change over time". But that isn't necessarily true. For your suggested
special proposed DT field to be of any use, there must be a mechanism
for retrieving the data with "name" & "DT". So why not just say
something like "mechanism:name?DT" ?  URI's are supposed to provide a
Uniform Resouce Identifier to all resources of arbitrary specificity
or generality.

Most implementations of http just stuff query parameters into
environment variables or some assoicative array and ignore any
extra/unknown varaibles anyway.  I just tried appending
"?DT='2001-07-04T17:49:04T' to the URIs for a variety of well know web
sites including both and and they all worked
fine, ignoring this additiona info. But even it that broke the average
web site, in your case you apparently have some mechanism that wants
to see the date and time so it should be implemented to anticiapte, at
least optionally, the presence of such a query parameter.

It would certainly be reasonable to throw in a sentence suggesting
this technique in the XMLDSIG write-up. Something like

"Systems which need additional information to specify the precise data
signed, such as date and time, geographic location of creation, name
of author, etc., can be designed to provide such information as query
parameters to the Reference URI."


From:  Amir Herzberg <>
Message-ID:  <078EE8822DCFD411AAA1000629D56ADC0B7D37@IMP01>
To:  "Dsig (E-mail)" <>
Date:  Thu, 5 Jul 2001 13:39:47 +0300 

>I know this is late to propose any additions. However, while working on
>protocol for secure transport of XML messages, I came upon the requirement
>to refer from one message to another - specifying the time. Thinking more
>about it I realized that many references to external data may need to
>identify the specific time of the  reference. The reference currently
>identifies the data by URI, but URIs specifically do _not_ identify the time
>- they refer to a resource which may change over time. But when we hash and
>sign a resource, of course we must identify the exact version of it, and
>time is one of the best ways to do so.
>My prefered solution is to add to Reference an optional element to contain
>the time at which the reference was made, e.g. <Reference URI=`uri` DT='
>(I like to call it DT, for Date & Time, simply because it's the convention
>of IFX and OFX; but of course any other approriate attribute name e.g. Time
>is fine by me)
>Notice this is different from the time of computing the signature itself, as
>a signature may often contain references to resources using their values at
>previous time. I know that the issue of indicating the time of computing the
>signature was addressed in the recommendation, and an application `... may
>include such information in a SignatureProperties element within an Object
>element.`. But this is the time of computing the (entire) signature, not the
>time at which the contents of the Reference were `frozen` (and later hashed
>to DigestValue). 
>Best regards, 
>Amir Herzberg
>CTO, NewGenPay Inc.  
>SMS (urgent only!): _subject_ of email to

Received on Thursday, 5 July 2001 08:19:12 UTC