At 09:17 PM 3/30/2003 +0200, Gregor Karlinger wrote:
I suggest therefore the following definition:
"For use cases where the relying party would like to check the
relationship between the the 'transforms process input data'
(which is the data he wants to operate on) and the 'transforms
process output data' (which is the data the signing party has
actually signed) all the information used by the signing party
to compute the transforms process must be signed.
Most of this information is included in a XMLDSIG signature
anyway. However, there are some exceptions, for instance imported
stylesheets referred to in an XSLT transform. Those additional
information must be signed as well, for instance as part of a
dsig:Manifest."
I see I was misinterpreting things - all you're saying is that imported
stylesheets within an XSLT transform should have their contents covered by
the signature. Since XML-DSIG doesn't accomplish this, you suggest adding
a reference in the XML-DSIG Signature to a dsig:Manifest which then
references these imported stylesheets.
Since this solution addresses a problem with XML-DSIG, I don't think it's
within our scope to mandate something like that. But we should make sure
that something like that is possible within our DSS protocol, and whether
it needs any special requirements.
The only requirement I can see this adding, is that if the client is
applying transforms to the to-be-signed data himself, then sending the
transformed data to the server for a signature, then maybe the client
should also send the imported stylesheets, i.e. "additional transform
data", so the server can link them in somehow?
Trevor
63 messages in org.oasis-open.lists.dssRE: [dss] Groups - dss-requirements-1...
.bin