- From: John Boyer <JBoyer@PureEdge.com>
- Date: Thu, 6 Jan 2005 13:14:05 -0800
- To: <jbekaert@lanl.gov>, <w3c-ietf-xmldsig@w3.org>
The real answer is that you do not need to decompress resources. Your resources are compressed, so sign the compressed files and validate the compressed files. This is both far more efficient and presents NO security risk. It is completely analogous to signing a PNG or JPEG rather than signing the uncompressed bit stream of the image that the PNG or JPEG represents. Well, images may involve lossy compression, but this is orthogonal to the analogy because what is signed has a well-defined and stable tranformation into what is 'seen' or ultimately consumed by the application. Other analogies would include signing XML markup rather than signing the machine code instructions for the processor that interprets the markup. Best regards, John Boyer, Ph.D. Senior Product Architect and Research Scientist PureEdge Solutions Inc. -----Original Message----- From: jbekaert@lanl.gov [mailto:jbekaert@lanl.gov] Sent: Wednesday, January 05, 2005 10:28 PM To: w3c-ietf-xmldsig@w3.org Subject: compression Transforms !? hi all, some questions regarding the use of compression Transforms in XML Sig constructs: * is there a _standardized_ Transform Algorithm that can be used to compress/decompress a resource? I am dealing with a bunch of gzipped resources for which a decompression (un-gzip) algorithm should be applied prior to calculation of the digests. * if no such Transform Algorithms exist, does anyone have experience in using application-specific decompression (zip/gzip/...) transforms? * also, is there a way to convey the mime type of the original (uncompressed) resource inside the Transform XML construct? many thanks best regards jeroen -- Jeroen Bekaert Digital Library Research and Prototyping team Los Alamos National Laboratory PO Box 1663, MS P362 Los Alamos, NM, 87545, USA tel. +1 (505) 664 0580
Received on Thursday, 6 January 2005 21:15:15 UTC