[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded
That is why I believe signing the original xml PLUS the hash of the xslt stylesheet that was actually applied is an option to consider. ---------- Original Message ---------------------------------- From: Rich Salz <rsalz@datapower.com> Date: Sat, 29 Mar 2003 13:45:49 -0500 (EST) >> Huh. Well, if the canonicalization transform isn't really canonicalizing, >> then I'd say the transform needs to be fixed, or a better one defined or >> something. > >Hunh? It's *xml canonicalization* not "HTML canonicalization." We'd >be foolish to waste time defining HTML canonicalization. > >It's irrefutable: Any XSLT that has "<xsl:output method='html'/>" >cannot have a signature that covers the output. > >> If they *don't* work in the exact same way, modulo canonicalization, then >> there's room for the requestor to say, "oh, I didn't mean to sign *THAT*, >> my XSLT processor produced something slightly different". > >But if the source inputs are signed, then in case of conflict you can >always go back to the source and see what was really there. That's >better than having unsignable output. > >> In addition to the fact that not all >> transforms will even *BE* signable > >Hunh? How so? Are you saying the stylesheet is private? > /r$ > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]