RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded

[Trevor Perrin <trevp@trevp.net>]

At 09:17 PM 3/30/2003 +0200, Gregor Karlinger wrote:

>I suggest therefore the following definition:
>
>"For use cases where the relying party would like to check the
>  relationship between the the 'transforms process input data'
>  (which is the data he wants to operate on) and the 'transforms
>  process output data' (which is the data the signing party has
>  actually signed) all the information used by the signing party
>  to compute the transforms process must be signed.
>  Most of this information is included in a XMLDSIG signature
>  anyway. However, there are some exceptions, for instance imported
>  stylesheets referred to in an XSLT transform. Those additional
>  information must be signed as well, for instance as part of a
>  dsig:Manifest."

I see I was misinterpreting things - all you're saying is that imported 
stylesheets within an XSLT transform should have their contents covered by 
the signature.  Since XML-DSIG doesn't accomplish this, you suggest adding 
a reference in the XML-DSIG Signature to a dsig:Manifest which then 
references these imported stylesheets.

Since this solution addresses a problem with XML-DSIG, I don't think it's 
within our scope to mandate something like that.  But we should make sure 
that something like that is possible within our DSS protocol, and whether 
it needs any special requirements.

The only requirement I can see this adding, is that if the client is 
applying transforms to the to-be-signed data himself, then sending the 
transformed data to the server for a signature, then maybe the client 
should also send the imported stylesheets, i.e. "additional transform 
data", so the server can link them in somehow?

Trevor