[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Comments on Core WD 01 3 Oct 03
We have discussed the question raised below regarding policy for adhering to the DSS requirements document and the proposal is that: Changes can be made in the DSS Schema to the requirements identified in the earlier DSS Requirements document provided that: a) The change to the existing requirement to brought to the attention of the DSS group through the e-mail list, b) Any relevant use cases that relate to the requirement should be identified c) No major objections are raised in response Nick Pope & Juan Carlos - DSS Chairs > > Nick > > -----Original Message----- > From: Trevor Perrin [mailto:trevp@trevp.net] > Sent: 15 October 2003 23:46 > To: Rich Salz > Cc: Nick Pope; OASIS DSS TC > Subject: Re: [dss] Comments on Core WD 01 3 Oct 03 > > > At 06:15 PM 10/15/2003 -0400, Rich Salz wrote: > > > > Drop the <DocumentURI> and just have <Document> and <DocumentHash>? > > > >yes. > > > > > I dunno.. I'm always in favor of simplifying, but having a > URI option was > > > in the requirements doc. > > > >Aren't we allowed to not meet some requirements? :) > > I'll leave that for the chairs, I dunno :-). > > Let's try to figure out why we added it, though. As far as I can tell, > Gregor Karlinger suggested it: > http://lists.oasis-open.org/archives/dss/200301/msg00016.html > """ > 2.3.2 Signed Data: Reference or direct provision > > Data items to be signed/validated should be either provided > to the service as a reference (URI), or directly as part of > the request. The latter is important for situations where > the data to be signed cannot be located by resolving a URI. > """ > > You were skeptical: > http://lists.oasis-open.org/archives/dss/200301/msg00017.html > """ > In some (many? :) cases, a DSS service will not be willing to retrieve > data from arbitrary URL's on behalf of a client. In this case, the > client must be able to "push" the data, along with an indicator of the > URL of the data. > > Extending on this, a DSS service might be asked to verify a signature > where it does not have the privileges to read the source document. A > "just trust the References" mode would allow such a service to operate. > """ > > But that's all the discussion there was. Then I put it in the > 1st draft of > the requirements doc, and there it stayed cause no-one found it offensive > enough to complain about. > > I don't really see the use of this - it seems kinda unnecessary, > since the > client could always just hash the website on its own and send the hash. > > So I lean your way, we could take this out. Does anyone want it or see a > real use for it? > > Trevor > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]