[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded
At 12:11 PM 3/26/2003 +0000, karel.wouters@esat.kuleuven.ac.be wrote: >[...] >IMHO, the XML and the transform should be signed, and the rest should be >left to be specified by people who adopt this standard. I think it's better to sign 2 references, one to the raw document, one that applies transform(s) to make the raw document human-readable: <Reference URI="#SomeDocument"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </Reference> <Reference URI="#SomeDocument"> <Transforms> <Transform Algorithm="http://www.someplace.org/SomeTransform"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>Q52xy4a9289mvDl1up4sbEVU89x=</DigestValue> </Reference> Looking at the XML-DSIG spec, I don't see any mention of signing transforms. Instead, usually transforms shouldn't need to be signed/verified, since the data is signed after going through them, so a change/corruption of the transform will invalidate the signature. I guess you're proposing something like this?, where both the document and transform are signed? - <Reference URI="#SomeDocument"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </Reference> <Reference URI="#http://www.w3.org/SomeTransform"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>Q52xy4a9289mvDl1up4sbEVU89x=</DigestValue> </Reference> However in this case, suppose multiple documents (#SomeDocument1, #SomeDocument2, etc.) were signed. And suppose there are multiple transforms. How would it be clear which transforms apply to which documents? Moreover, if you sign only the transforms, not the transformed data, then there's wiggle-room for the signer to try to claim that he applied the transform differently than the verifier (suppose the transform references time-sensitive data somehow). Also, what about in the case above, where the transform might not be a stylesheet, but might be described algorithmically by a text document referenced by a URI that may not even be a URL - i.e. there may not be data describing the transform that is signable. Even if there is, it may be a human-readable document subject to revisions (which would invalidate a signature), or it may be quite large, which would make signing/verifying unwieldy, and in any case add a network dependency, since the verifier will only be able to verify the document as long as the site stays up. So I think signing data after it's transformed is much more in accord with how XML-DSIG was designed to work, and in the case where we want to sign both human-readable and machine-readable views on some data, it's easiest to do that with different ds:References, each applying whatever transforms are appropriate to the same underlying data. Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]