- From: <edsimon@xmlsec.com>
- Date: Tue, 8 Jan 2002 20:59:37 -0500
- To: w3c-ietf-xmldsig@w3.org
- Cc: manoj@infomosaic.com
Hi, I've been reviewing a number of XML Signature Toolkits and it seems to me that most do not implement a means, upon verification, of providing the signed bytes back to the application. To me, such functionality is often critical particularly for detached data (eg. data external to the document containing the XML Signature). As an example, take an XML Signature that includes a <Reference> URI pointing to "http://www.xmlsec.com". The application calls the Toolkit API xsig.verify() which then indicates no changes occurred to "http://www.xmlsec.com" since the XML Signature was created. However, the verify() method doesn't return the data acquired when dereferencing the URI and so the XML Signature is really almost useless to an application that needs to use that data. Sure the application could dereference the URI itself but how does it know it is getting the same data that was verified. Accordingly, I would like XML Signature Toolkit APIs to include a) a basic verify() method that simply indicates whether the XML Signature is valid or not (I think all Toolkits already do at least this) b) a verify() method that returns, upon positive verification, the bytes that were acquired by dereferencing the <Reference> element's URI during the digest verification processing c) b) a verify() method that returns, upon positive verification, the bytes that were acquire by dereferencing the <Reference> element's URI and applying the prescribed transforms (see the XML Signature "See what is signed" section for details) during the digest verification processing I emphasize "during the verification processing" because it must be the bytes. Note that I'm NOT trying to define an API, I'm just using pseudo-functions to express the functionality that I think is required. I'm glad to note that Infomosaic's proposed verification response structure seems to touch on the functionality of b) or c). Manoj, or someone else from Infomosaic, would you please comment. Most apps I've come across would greatly benefit from the functionality of b). The c) functionality will be critical for some apps but those using transforms simply as filters will find the b) functionality is exactly what is required. If you are a Toolkit designer and want to contact me directly about this, feel free to do so. I'd like to hear others opinions on this whether you are designing Toolkits or not. Let me know what you think, Ed ----------------------------------------------------------------------------------------------- Ed Simon <edsimon@xmlsec.com> XMLsec Inc. Interested in XML Security Training and Consulting services? Visit "www.xmlsec.com".
Received on Tuesday, 8 January 2002 20:59:55 UTC