[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [dss] Comments on Core WD 01 3 Oct 03
At 01:45 PM 10/15/2003 -0400, Rich Salz wrote: >Content-Transfer-Encoding: 7bit > >><DocumentURI RefURI="#doc1"> >> <URI>http://acme.com/document.xml</URI> >></DocumentURI> >>The server uses <URI> to retrieve the document, and uses RefURI to >>construct a <ds:Reference> for the document. > >We should say something about the security implications of this. It's all >too easy to set things up so that the server fetches, signs, and returns, >documents that the client cannot access. Yeah, this should be a security consideration, at least. >I should have raised this before. We may want to consider that the client >can *only* send entire documents. Drop the <DocumentURI> and just have <Document> and <DocumentHash>? I dunno.. I'm always in favor of simplifying, but having a URI option was in the requirements doc. Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]