XML Signature WG

99-October-14
Chairs: Donald Eastlake and Joseph Reagle
Note Taker: Joseph Reagle [text]

Participants

• Donald Eastlake 3rd, IBM
• Joseph Reagle, W3C
• Mark Bartel, JetForm
• John Boyer, UWI
• David Solo, Citigroup
• Peter Norman, FactPoint
• Ed Simon , Entrust Technologies Inc.
• Barbara Fox, Microsoft

Taxonomy of Decisions for Syntactical Stuff

• Reagle Sent a proposal to the list.
• Eastlake will send thoughts on parameters and algorithms.
• ACTION Reagle: create document that covers syntactical, default, and algorithm/parameter conventions such that (1) we come to agreement and (2) the document has consistency.

Types

• Eastlake: Do we have input/output types as well?
• Boyer: people need to be careful in their specifications for transformations over XML to retain the <?xml ... > and doctype declarations. If they do something that loses that information, they shot themselves in the foot.
• Solo: it may be useful for some transformations, but for all of Boyer's XML transformations, the XML should carry that information. Eastlake seems opposed to mucking up his fragments with XML declarations. Boyer states you are still carrying it but it in the attribute.
• Solo: a way to think about it: transform is applied to bytestream, might need some other control information.
• Solo proposes: permit syntax to specify input, but note that for all of our specified XML transformations type should be in the XML.
• ACTION Reagle: bounce this issue off of XML people. Do XSLT mind if we transform well-formed XML into XML without declarations?
• Reagle: what happens if the signature syntax says text/xml, but the signature was based on the content type described by the HTTP headers. Which is normative?
• Eastlake: the type specified in the signature (if present) is dominant.

DTDs

• Discussion resulting from "Section 6.0 -- The DTD appears incorrect. ANY can only occur once and not with any of the current defined items. Should ANY be inside of the *? "
• Result: XML Signatures will not be validated signatures. Did to write an XML schema.

Location

Do we allow fragmentID's in location, or require them to sit in transformations.

1. Only URI in <location> without fragmentID, otherwise
2. use transformations to refer to a local IDREF, or parts of other documents.

Review of Outstanding Action Items

• Example in section 2.0 should be a DSS example as this is the mandatory example. I assume that at some point this will be come a verifiable example as well. WG Agrees.. ACTION Solo: will change example, and we will hopefully have a verifiable example at some point.
• Do we include or exclude the object in the signature. continue with excluding such that the signature passes for an object or an external resource. ACTION Solo: reflect in his edit.
• Section 6.0 -- The DTD appears incorrect. ANY can only occur once and not with any of the current defined items. Should ANY be inside of the *?
• Solo: This section is presently heavily underspecified. Add a comment that it requires significant additional work.
  ACTION Solo: will add ANSI reference if he can find it.
• All IETF drafts now require a patent statement a the top of the draft. Such a statement should be added to the document.
• ACTION Reagle: Add link in W3C status to patent statements now on Web site. We'll add the IETF disclosure to the IETF version when generated.
• Section 3.0 - Insert reference to Base64. ACTION Bartel: includes the reference.
• ACTION Reagle Fix. ACTION Reagle: move from c14n to canonicalization. In the XML canonicalization. Text we can keep for the time being. Bartel would like Alg spelled out too. No agreement -- but no opposition either really.
• ACTION Solo: clarify section 8.
• Action REAGLE: Move most comments to open issues sectio
• ACTION Boyer: will write up a proposal for 7.6 using "Recommended" term.

New Resulting Action Items

• ACTION Reagle: create document that covers syntactical, default, and algorithm/parameter convensions such that (1) we come to agreement and (2) the document has consistency.
• ACTION Reagle: take David's edit and format it for publication.
• ACTION Simon: begining thinking about the "normative" example such that we can test resulting signature values generated from different applications.