Re: Passing URLs

[Trevor Perrin <trevp@trevp.net>]

At 09:12 AM 10/23/2003 +0200, Andreas Kuehne wrote:
>Content-Transfer-Encoding: 7bit
>
>Hi Trevor !
>
> > I asked Gregor for some elaboration on the requirement that the client can
> > send URIs of to-be-signed data to the server.
> >
> > His response is informative -
>
>Yes, I see ! No one wants to loose features available to XMLDSIG. And I 
>understand the shortcommings of moving data redundantly.
>
>But acting on his own behalf the DSS server may not have the rights to 
>access a given URL. So we probably need a 'claimed role' structure in the 
>request.

We have a <ClaimedIdentity> element as an Option.  It's a string, to 
contain "The identity or role asserted by the client. " (at least that's 
what the requirements doc says).


>  And a matching 'CodeErrorType' if the access to the document fails.
>
>Much more common to me is a DSS server that has very limited access to the 
>outside world.
>  I would like to have a bit in the signature profile saying 'document 
> required to be within the request'. So the requestor didn't even thinks 
> about just passing a URL.

That makes sense.  Or we could go further and remove <DocumentURI> entirely.

Trevor