W3C home > Mailing lists > Public > w3c-xml-sig-ws@w3.org > April 1999

RE: unparsed entities

From: Richard D. Brown <rdbrown@GlobeSet.com>
Date: Tue, 6 Apr 1999 21:57:34 -0500
To: "'John Boyer'" <jboyer@uwi.com>, <dee3@us.ibm.com>
Cc: "'Dsig group'" <w3c-xml-sig-ws@w3.org>
Message-ID: <000d01be80a2$63dc45b0$0bc0010a@artemis.globeset.com>

I am certainly pushing a bit too far but, considering the lack of conformity
in the rendering of document by commercial browsers, I feel that you'd
better save a copy of the user-agent along with the transaction. The point
is that in most circumstances, signing at the presentation layer does not
make a lot of sense or, at least, does not increase the overall security of
the system. For form signing by human being, I would rather propose
signature of the message semantics and ensure the reliability and conformity
of the user-agent (i.e. plug-ins or style sheet). As we already do with
smart card readers, it shall be possible to require authentication of the
user-agent in the signature process.

> OK, so now I think we are agreeing.  It is necessary for a
> signed XML spec
> to include the ability to incorporate externally
> defined/unparsed entities
> for those applications that wish to prove the original
> message as a means of
> achieving transaction non-repudiation.

This is certainly a requirement, which is actually considered by the Digital
Signature for XML Proposal. However, the ability to package
external/unparsed entities does not imply that the Signature Standard shall
require compliant implementations to "chase" such external entities. This
only implies that the Signature Standard should allow authentication of
packaged entities. Chasing and embedding such external entities in the
signed document shall fall under the responsibility of the application
framework that defines such a requirement in the first place.


Richard D. Brown
Received on Tuesday, 6 April 1999 22:57:04 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:44:59 UTC