[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [dss] Schema TP5. ISSUE#1: Already applied transformations by the client
At 05:05 PM 10/7/2003 +0200, Juan Carlos Cruellas Ibarz wrote: >Trevor, > >see below > > >>2.1 the dereferencing would get DOC-1. Then the transformations that > >>the verifier would apply would lead him to a DOC-2 completely different!! > >>and 2.2 would, of course fail!. > > > > > >Hmm. Right. Could we avoid this by just saying that if you're sending a > >document for enveloping, you can't apply Transforms to it? > > >Just these few lines to comment that this would avoid the problem with >enveloped documents... Alternatively, the server could return the signature without any enveloped documents inside it, and it's the client's job to insert enveloped documents. I like that better - it doesn't add an artificial restriction on applying Transforms to enveloped documents. And it's more consistent with the way enveloping docs are handled - in both cases, the server doesn't have to know *anything* about enveloped/enveloping documents, he just prepares a ds:Reference for each InputDocument based on what the client sends him, and the client does the splicing necessary. This requires a little more smarts on the client side, to know how to insert an XML document into another. Perhaps we could add Options where the client sends enveloping/enveloped documents and the server inserts the enveloped elements into the signature, and inserts the signature into the enveloped document. But as part of our new resolve for a "minimal core", I think we should leave these out of the "Basic Processing". What do you think? >But I guess that with enveloping documents something similar could also >happen (the client should decide to send DOC-0 or DOC-1 -likely DOC-1- >and the server should build up the correct ds:Reference element.... I don't see a problem with enveloping documents - the client sends DOC-1, where the ds:Transforms list includes an Enveloped Signature Transform. The server doesn't have to do any special handling, it just builds up a normal ds:Reference element. Then the client places the signature inside the enveloping document. Is there a problem? >Finally, concerning the documents referenced by an URI, the question still >would remain: which >document would be the one referenced by the URI, DOC-0 or DOC-1? DOC-1. The <ds:Transforms> inside a <Document*> would always give the transforms that have already been applied, and that should be included inside the ds:Reference. >I would suggest to do what we agreed in the conf call, ie, a brief study of >the >different cases that can be possible so that we can see what must happen in >the >client and in the server side, and write the protocol doc. accordingly.... I'll write something up. Let me know what you think about the above, though. Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]