- From: Richard D. Brown <rdbrown@GlobeSet.com>
- Date: Tue, 6 Apr 1999 21:57:34 -0500
- To: "'John Boyer'" <jboyer@uwi.com>, <dee3@us.ibm.com>
- Cc: "'Dsig group'" <w3c-xml-sig-ws@w3.org>
John, I am certainly pushing a bit too far but, considering the lack of conformity in the rendering of document by commercial browsers, I feel that you'd better save a copy of the user-agent along with the transaction. The point is that in most circumstances, signing at the presentation layer does not make a lot of sense or, at least, does not increase the overall security of the system. For form signing by human being, I would rather propose signature of the message semantics and ensure the reliability and conformity of the user-agent (i.e. plug-ins or style sheet). As we already do with smart card readers, it shall be possible to require authentication of the user-agent in the signature process. > > OK, so now I think we are agreeing. It is necessary for a > signed XML spec > to include the ability to incorporate externally > defined/unparsed entities > for those applications that wish to prove the original > message as a means of > achieving transaction non-repudiation. This is certainly a requirement, which is actually considered by the Digital Signature for XML Proposal. However, the ability to package external/unparsed entities does not imply that the Signature Standard shall require compliant implementations to "chase" such external entities. This only implies that the Signature Standard should allow authentication of packaged entities. Chasing and embedding such external entities in the signed document shall fall under the responsibility of the application framework that defines such a requirement in the first place. Sincerely, Richard D. Brown
Received on Tuesday, 6 April 1999 22:57:04 UTC