dss message

Subject: Re: [dss] Comments on Core WD 01 3 Oct 03

From: Trevor Perrin <trevp@trevp.net>
To: Rich Salz <rsalz@datapower.com>
Date: Wed, 15 Oct 2003 13:32:56 -0700

At 01:45 PM 10/15/2003 -0400, Rich Salz wrote:
>Content-Transfer-Encoding: 7bit
>
>><DocumentURI RefURI="#doc1">
>>   <URI>http://acme.com/document.xml</URI>
>></DocumentURI>
>>The server uses <URI> to retrieve the document, and uses RefURI to 
>>construct a <ds:Reference> for the document.
>
>We should say something about the security implications of this.  It's all 
>too easy to set things up so that the server fetches, signs, and returns, 
>documents that the client cannot access.

Yeah, this should be a security consideration, at least.



>I should have raised this before.  We may want to consider that the client 
>can *only* send entire documents.

Drop the <DocumentURI> and just have <Document> and <DocumentHash>?

I dunno..  I'm always in favor of simplifying, but having a URI option was 
in the requirements doc.

Trevor

Follow-Ups:
- Re: [dss] Comments on Core WD 01 3 Oct 03
  - From: Rich Salz <rsalz@datapower.com>

References:
- RE: [dss] Comments on Core WD 01 3 Oct 03
  - From: Trevor Perrin <trevp@trevp.net>
- Re: [dss] Comments on Core WD 01 3 Oct 03
  - From: Trevor Perrin <trevp@trevp.net>
- Re: [dss] Comments on Core WD 01 3 Oct 03
  - From: Rich Salz <rsalz@datapower.com>