Author: Joseph Reagle
Audience: WWW8 Attendees
Question: Short Review of XML-DSIG Workshop
References:The W3C Signed XML Workshop
Report on W3C signed-XML99 Workshop
Joseph M. Reagle Jr.
I am going to use the next 15 minutes to briefly review the results of the
- Signature Semantics
- Content Semantics
- signing XML versus XML signatures
- Long standing interest in signatures as applied to "metadata", particularly
- IETF convened BoF in March, great deal of interest, but decided to postpone chartering
of group until W3C workshop.
- W3C workshop in April, many of the same folks, but a day and a half to address many
- Anything I say here is my own opinion; it is not a formal W3C position, nor a
representation of WG consensus on policy or technical direction.
- RDF Data Model: yes.
- RDF Syntax: people are interested, needs further thought.
- KISS/simple-semantic: data is associated with a key by signing a hash of the document
with that key.
- The DSig manifest tells you what is being signed, a list of URIs (with hashes).
- signed-XML applications are ignorant of any content semantics outside of the manifest,
including XML. (Doesn't necessarily expand entities nor chase links, might understand
- To use RDF terminology, everything referenced by the manifest is a literal. signed-XML
will use a data model (and maybe even some RDF syntax) so its semantics will be expressed,
but signed-XML will make no RDF inferences itself -- though people are certainly welcome
to do this in their applications.
signed-XML versus XML-signatures
- Is the job to figure out how to sign chunks of XML (just use S/MIME), or to create an
XML signature format.
- Does the scope of either include things other than XML?
- People want to sign chunks of XML, and to have the data remain as XML, it should also be
able to sign any Web resource.
- Additionally, they'd like the data type to stay the same: a signed_XML_form is still
recognizable as a form to form applications.
- The overlap between cryptographic semantics as expressed in the XML versus ASN1.DER
encoded blobs is still fuzzy.
- There is a proposed joint W3C/IETF WG on this activity.
- There is a proposed charter
- First FTF meeting will occur at IETF