Transform DocumentHash transform verification question

[<Frederick.Hirsch@nokia.com>]

Trevor

Thanks for clarifying. (Re issue #21)

My question about DocumentHash based signature verification is based on DSS verification processing rule #3 in section 3.4

I was reading more into it, asking how to verify that the transforms applied to the source document produce the hash without using the source document

 I guess we are saying that is out of scope but that the expected transform list matches what is in the ds:Reference. A related question is what if the signing server adds a transform, how would the client know this?

What is the value of trying to verify the transform list in the case of DocumentHash verification?

regards, Frederick

Frederick Hirsch
Nokia

>(21) Basic Processing, step 3, line 815, it isn't clear how the
>transform verification will work if some transforms are added
>transparently by a signing server. If the verification is done at a
>different server with different rules, how are transforms known other
>than trusting the list?
 Sorry, I don't understand. In step 3, the server just performs reference validation of a <ds:Reference> by checking that it matches some <DocumentHash>. What exactly is the problem?