[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded
At 09:17 PM 3/30/2003 +0200, Gregor Karlinger wrote: >I suggest therefore the following definition: > >"For use cases where the relying party would like to check the > relationship between the the 'transforms process input data' > (which is the data he wants to operate on) and the 'transforms > process output data' (which is the data the signing party has > actually signed) all the information used by the signing party > to compute the transforms process must be signed. > Most of this information is included in a XMLDSIG signature > anyway. However, there are some exceptions, for instance imported > stylesheets referred to in an XSLT transform. Those additional > information must be signed as well, for instance as part of a > dsig:Manifest." I see I was misinterpreting things - all you're saying is that imported stylesheets within an XSLT transform should have their contents covered by the signature. Since XML-DSIG doesn't accomplish this, you suggest adding a reference in the XML-DSIG Signature to a dsig:Manifest which then references these imported stylesheets. Since this solution addresses a problem with XML-DSIG, I don't think it's within our scope to mandate something like that. But we should make sure that something like that is possible within our DSS protocol, and whether it needs any special requirements. The only requirement I can see this adding, is that if the client is applying transforms to the to-be-signed data himself, then sending the transformed data to the server for a signature, then maybe the client should also send the imported stylesheets, i.e. "additional transform data", so the server can link them in somehow? Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]