OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded

From a legal standpoint, where human signers are involved or entities on whose behalf they are acting, I think it is essential for the relying party to know that what verifies is what tbe signer actually intended. Otherwise, there may be no valid contract between the parties, or other legal result achieved. 

This could result not repudiation of a signature, but rather an interference from the beginning through the technology with the legal relations being formed.

Therefore, the stylesheet should be hashed and be part of the signed data. If the stylesheet is posted on the web, then a URI may be useful, but if the stylesheet only exists with respect to the document that is being signed, the requirement of a URI may impose an unrealistic requirement for some transactions.

Therefore the signed data should equal both the xml + a hash of stylesheet.

---------- Original Message ----------------------------------
From: "Nick Pope" <pope@secstan.com>
Date:  Wed, 26 Mar 2003 09:34:17 -0000

>As I mentioned yesterday,  I think it is best to sign the original and the
>transform as this means both the human and computer can work from the same
>raw data.
>
>Nick
>
>> -----Original Message-----
>> From: Trevor Perrin [mailto:trevp@trevp.net]
>> Sent: 25 March 2003 21:27
>> To: Nick Pope; dss@lists.oasis-open.org
>> Subject: RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded
>>
>>
>> At 12:42 PM 3/25/2003 -0800, Trevor Perrin wrote:
>>
>> >At 12:37 PM 3/25/2003 -0800, Trevor Perrin wrote:
>> >
>> >>Right, but then I think you need to sign both the XML *and* the
>> >>transformed, human-readable form.
>> >
>> >For example, an XML-DSIG could have 2 references, both to the same
>> >document, one of which applies a transform to make it
>> human-readable, the
>> >other of which doesn't.
>> >
>> >So the transforms (in this and other cases) still might need to
>> be protected.
>>
>>
>>
>> Actually, never mind.  As long as you've signed the transformed data, the
>> transforms *don't* need to be protected, cause if the relying party gets
>> corrupted transforms, the signature won't verify.  So isn't this all that
>> needs to be done?:
>>
>> >an XML-DSIG could have 2 references, both to the same document, one of
>> >which applies a transform to make it human-readable, the other of which
>> >doesn't.
>>
>> Trevor
>>
>>
>>
>
>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]