Author: Joseph Reagle

Audience: Workshop Attendees

Question: What will we accomplish at the workshop.


References:The W3C Signed XML Workshop

XML-DSig'99: The W3C Signed-XML Workshop

April 15th and 16th

atmirs3.gif (21261 bytes)

DoubleTree Guest Suites Hotel,
Boston, Massachusetts


I am going to use the next two days to gather information, concerns, requirements, and consensus so as to move quickly after this meeting.


  1. Introduction
  2. Web of Trust
  3. Signature Semantics
  4. Canonicalization and Content Semantics
  5. Applications


  1. Specifications
  2. Forms
  3. Consensus/Wrapup/Conclusion



  1. Think about the IETF/W3C issue, we will return to it tomorrow.
  2. Any questions on the status of XML activities?
  3. And dependencies that you do not think are relevant, or dependencies that have not been identified?

Signature Semantics


  1. Why not just use S/MIME?
  2. Do we have consensus that people can place unparsed data (e.g., X.509 blobs) in elements?
  3. What do people think of using RDF syntax to represent assertion semantics?
  4. Do we have consensus that we should have an explicit  data model?
  5. Do we have consensus (from the proposed charter) that we focus on the simple semantic: signature=f(key+hash+resource)? That additional semantics should be able to be introduced through the namespace facility?

Content Semantics


  1. Do we have consensus that one needs a number of different semantic content depths (bits, XML, DOM, etc.)?
    1. What should we spend time on -- if any? Should we specify the bit method, rely upon XML-syntax WG for XML, and someone else for DOM-hash?
  2. Unicode: should "e with acute" (composed form) be treated as different from "e" + "combining acute" (decomposed form) or the same?
  3. Need canonicalized-XML be XML?
  4. How do we sign the hash of a native document format, when the encoded format is what is generally available?
  5. How do we feel about resolving external entities and resources?
  6. How do we warn application designers to guard their proprietary semantics before canonicalization? Do we even need to?
  7. Need signed-XML address XML-filters itself? Or should we defer to XPointer (advanced locators) and XSL-selectors?



  1. What additional requirements/constraints are there based on these applications?



  1. Data model?
  2. Do people like Richards syntax and DTD?
  3. How much form work do we want to do?
  4. How concerned are we about secrecy/confidentiality?



  1. Do we need to do forms, or do we focus on the signature and move onto that next?
  2. Again, external references and entities?
  3. Filters, do we need them?
    1. Should we rely upon advanced locators (X-pointer or XSL selectors) or create our own?
  4. How will CGI scripts deal with signed form returns?


  1. W3C or IETF?
  2. Depending on where, how do we coordinate, ensure wide review and robustness with the security and XML domains?
  3. Did we answer all the questions?