[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded
Trevor, > -----Original Message----- > From: Trevor Perrin [mailto:trevp@trevp.net] > Sent: Monday, March 31, 2003 11:49 AM > To: Gregor Karlinger > Cc: 'ML OASIS DSS' > Subject: RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded > > > At 09:17 PM 3/30/2003 +0200, Gregor Karlinger wrote: > > >I suggest therefore the following definition: > > > >"For use cases where the relying party would like to check the > > relationship between the the 'transforms process input data' > > (which is the data he wants to operate on) and the 'transforms > > process output data' (which is the data the signing party has > > actually signed) all the information used by the signing party > > to compute the transforms process must be signed. > > Most of this information is included in a XMLDSIG signature > > anyway. However, there are some exceptions, for instance imported > > stylesheets referred to in an XSLT transform. Those additional > > information must be signed as well, for instance as part of a > > dsig:Manifest." > > I see I was misinterpreting things - all you're saying is > that imported > stylesheets within an XSLT transform should have their > contents covered by > the signature. Since XML-DSIG doesn't accomplish this, you > suggest adding > a reference in the XML-DSIG Signature to a dsig:Manifest which then > references these imported stylesheets. > > Since this solution addresses a problem with XML-DSIG, I > don't think it's > within our scope to mandate something like that. But we > should make sure > that something like that is possible within our DSS protocol, > and whether > it needs any special requirements. I agree. We should not make this mandatory, but it should be possible for the requester to say "please sign all information used to compute the transform process". > The only requirement I can see this adding, is that if the client is > applying transforms to the to-be-signed data himself, then > sending the > transformed data to the server for a signature, then maybe the client > should also send the imported stylesheets, i.e. "additional transform > data", so the server can link them in somehow? This is a side issue. The important requirement is what I have stated above. But you are right, it should also be possible for the requester to make the statement cited above in the case he processes the trasforms himself. /Gregor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]