[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [dss] "Required" Designation on SignatureObject within VerifyRequest
At 11:02 PM 4/14/2004 -0400, ed.shallow@rogers.com wrote:
>Folks,
>
> An enveloped signature in the only InputDocument presents no
>implementation issue with respect to locating the signature.
Suppose I have an input document like:
<a>
<b>
<c/>
</b>
<d/>
<e>
<f>
</f>
<ds:Signature>
</ds:Signature>
</e>
</a>
With what you're proposing, the server would have to search through all the
elements until it's found the signature, right?
And what if the signature can't be identified by element name (i.e., it's
named "xyz", but it's of type ds:SignatureType). Then it becomes even
harder to figure out which element is the signature. Much better just for
the client to indicate it, isn't it?
> As a compromise, would you allow something like this in the spec's
>documentation ...
>
>"When only one InputDocument exists, which contains the signature to be
>verified, DSS implementations MAY relieve their callers of having to
>initialize the SignaturePtr elements (i.e. WhichDocument and XPath). In this
>case, DSS implementations would assume the signature is contained in the
>only InputDocument and verify the signature accordingly, whether it be
>enveloped or enveloping".
I don't think we need to say anything about the relationship between the
caller and the implementation; that's an API issue.
However, are you saying the *client* would send an empty/uninitialized
<SignaturePtr> to the server? I hope not, that would be too horrible to
even contemplate.... :-)
Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]