- From: Rich Salz <rsalz@datapower.com>
- Date: Wed, 14 Jan 2004 10:34:12 -0500
- To: Anders Rundgren <anders.rundgren@telia.com>
- Cc: w3c-ietf-xmldsig@w3.org
> To put a single Reference pointing to a Manifest > containing a single Reference seems like a possibility > but an ugly one. If you do this, than at least the verifier has *something* they can do. The semantics of Manifest seems to fit exactly into your situation: you might not be able to verify the original hash, but everything else is legit. > To NOT specify an URL in a Reference (turning of de-referencing) > and maybe add a static "Type" attribute seems possible but is that > recommendable (fully compliant)? This isn't quite the same. If you omit the URI attribute, than you are saying (according to the 4th paragraph of sec 4.3.3.1) that the verifier knows what the reference is, and that they will fetch it on their own. This isn't quite the same as Manifest. I'd go with the Manifest. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
Received on Wednesday, 14 January 2004 10:28:49 UTC