- From: <rhimes@nmcourt.fed.us>
- Date: Wed, 07 Apr 1999 19:02:45 -0700
- To: <w3c-xml-sig-ws@w3.org>
I've encountered a related difficulty in a specification I'm working
on at
http://www.nmcourt.fed.us/xci/xcispec.htm
in which I'm defining a protocol for exchange of information between a
court and attorneys, including electronic filing. The problem is that
our court is currently accepting electronic filings in PDF format. We
want the PDF documents signed in their native format (i.e. as close to
presentation format as possible). If the PDF document were packaged
within XML, it would presumably be base64 encoded and tagged with a
MIME package element (type="application/pdf"). The problem is that I
need to include the signature of the source PDF in the XML document,
not the base64 version with the tags, and I'd like to do it in a
"standard" way.
Other applications may run into this same problem, where the encoded
content is application-specific but signed in its native format. An
example may be future e-mail systems using MIME.
I would like the standard to include the ablility to specify that a
hash (signature) is applied only to the unencoded content of a MIME
package (the original binary blob) without having to write it
externally for verification.
Rich Himes <rhimes@nmcourt.fed.us>
______________________________ Reply Separator _________________________________
Subject: Re: unparsed entities
Author: <w3c-xml-sig-ws@w3.org> at ~Internet
Date: 4/7/99 5:50 PM
Hi Richard,
>John,
>
>What is being signed shall be explicitly specified in the signature
manifest
>by means of XML links. Thus, if an external/unparsed entities needs to be
>embedded into the signature process then this entity shall be packaged into
>the document and a link to the package element shall be inserted in the
>signature manifest. Conversely, if you can suffice with an external
>reference to the resource, but still want to bind the actual value of this
>resource into the signature process then you should insert both the hash
and
>the reference to this external entity into the signature manifest. Notice
>that you should not expect the "signature engine" to verify that the hash
of
>the external entity matches with the one inserted in the signature
manifest.
>An implementation that complies with the standard should only assess that
>the signature value is valid in regard to the signature manifest. It falls
>under the responsibility of the application layer to verify the actual
value
>of the external entity.
The external entities, once packaged into the document, can be signed
directly by simply regenerating a portion of the document that happens to
include the elements containing the packaged external entities.
Received on Wednesday, 7 April 1999 21:04:50 UTC