Re: [dss] Schema TP5. ISSUE#1: Already applied transformations by the client

[Trevor Perrin <trevp@trevp.net>]

At 05:05 PM 10/7/2003 +0200, Juan Carlos Cruellas Ibarz wrote:

>Trevor,
>
>see below
>
> >>2.1 the dereferencing would get DOC-1. Then the transformations that
> >>the verifier would apply would lead him to a DOC-2 completely different!!
> >>and 2.2 would, of course fail!.
> >
> >
> >Hmm.  Right.  Could we avoid this by just saying that if you're sending a
> >document for enveloping, you can't apply Transforms to it?
> >
>Just these few lines to comment that this would avoid the problem with
>enveloped documents...

Alternatively, the server could return the signature without any enveloped 
documents inside it, and it's the client's job to insert enveloped documents.

I like that better - it doesn't add an artificial restriction on applying 
Transforms to enveloped documents.  And it's more consistent with the way 
enveloping docs are handled - in both cases, the server doesn't have to 
know *anything* about enveloped/enveloping documents, he just prepares a 
ds:Reference for each InputDocument based on what the client sends him, and 
the client does the splicing necessary.

This requires a little more smarts on the client side, to know how to 
insert an XML document into another.  Perhaps we could add Options where 
the client sends enveloping/enveloped documents and the server inserts the 
enveloped elements into the signature, and inserts the signature into the 
enveloped document.

But as part of our new resolve for a "minimal core", I think we should 
leave these out of the "Basic Processing".

What do you think?


>But I guess that with enveloping documents something similar could also
>happen (the client should decide to send DOC-0 or DOC-1 -likely DOC-1-
>and the server should build up the correct ds:Reference element....

I don't see a problem with enveloping documents - the client sends DOC-1, 
where the ds:Transforms list includes an Enveloped Signature 
Transform.  The server doesn't have to do any special handling, it just 
builds up a normal ds:Reference element.  Then the client places the 
signature inside the enveloping document.

Is there a problem?


>Finally, concerning the documents referenced by an URI, the question still
>would remain: which
>document would be the one referenced by the URI, DOC-0 or DOC-1?

DOC-1.  The <ds:Transforms> inside a <Document*> would always give the 
transforms that have already been applied, and that should be included 
inside the ds:Reference.

>I would suggest to do what we agreed in the conf call, ie, a brief study of
>the
>different cases that can be possible so that we can see what must happen in
>the
>client and in the server side, and write the protocol doc. accordingly....

I'll write something up.  Let me know what you think about the above, though.

Trevor