OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded

Trevor,

> -----Original Message-----
> From: Trevor Perrin [mailto:trevp@trevp.net] 
> Sent: Monday, March 31, 2003 11:49 AM
> To: Gregor Karlinger
> Cc: 'ML OASIS DSS'
> Subject: RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded
> 
> 
> At 09:17 PM 3/30/2003 +0200, Gregor Karlinger wrote:
> 
> >I suggest therefore the following definition:
> >
> >"For use cases where the relying party would like to check the
> >  relationship between the the 'transforms process input data'
> >  (which is the data he wants to operate on) and the 'transforms
> >  process output data' (which is the data the signing party has
> >  actually signed) all the information used by the signing party
> >  to compute the transforms process must be signed.
> >  Most of this information is included in a XMLDSIG signature
> >  anyway. However, there are some exceptions, for instance imported
> >  stylesheets referred to in an XSLT transform. Those additional
> >  information must be signed as well, for instance as part of a
> >  dsig:Manifest."
> 
> I see I was misinterpreting things - all you're saying is 
> that imported 
> stylesheets within an XSLT transform should have their 
> contents covered by 
> the signature.  Since XML-DSIG doesn't accomplish this, you 
> suggest adding 
> a reference in the XML-DSIG Signature to a dsig:Manifest which then 
> references these imported stylesheets.
> 
> Since this solution addresses a problem with XML-DSIG, I 
> don't think it's 
> within our scope to mandate something like that.  But we 
> should make sure 
> that something like that is possible within our DSS protocol, 
> and whether 
> it needs any special requirements.

I agree. We should not make this mandatory, but it should be possible
for the requester to say "please sign all information used to compute
the transform process".

> The only requirement I can see this adding, is that if the client is 
> applying transforms to the to-be-signed data himself, then 
> sending the 
> transformed data to the server for a signature, then maybe the client 
> should also send the imported stylesheets, i.e. "additional transform 
> data", so the server can link them in somehow?

This is a side issue. The important requirement is what I have stated
above. But you are right, it should also be possible for the requester
to make the statement cited above in the case he processes the trasforms
himself.

/Gregor

smime.p7s

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]