[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded
Trevor, My concern with the signing of the data after an XSLT transform has been applied is that the chances of two independent implementations of XSLT to get exactly the same byte-by-byte value for all possible styles is fairly low, event though they will look the same. Nick > -----Original Message----- > From: Trevor Perrin [mailto:trevp@trevp.net] > Sent: 26 March 2003 18:58 > To: karel.wouters@esat.kuleuven.ac.be; dss@lists.oasis-open.org > Subject: RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded > > > At 12:11 PM 3/26/2003 +0000, karel.wouters@esat.kuleuven.ac.be wrote: > > >[...] > >IMHO, the XML and the transform should be signed, and the rest should be > >left to be specified by people who adopt this standard. > > > I think it's better to sign 2 references, one to the raw > document, one that > applies transform(s) to make the raw document human-readable: > > <Reference URI="#SomeDocument"> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> > </Reference> > <Reference URI="#SomeDocument"> > <Transforms> > <Transform Algorithm="http://www.someplace.org/SomeTransform"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>Q52xy4a9289mvDl1up4sbEVU89x=</DigestValue> > </Reference> > > Looking at the XML-DSIG spec, I don't see any mention of signing > transforms. Instead, usually transforms shouldn't need to be > signed/verified, since the data is signed after going through them, so a > change/corruption of the transform will invalidate the signature. > > I guess you're proposing something like this?, where both the > document and > transform are signed? - > > <Reference URI="#SomeDocument"> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> > </Reference> > <Reference URI="#http://www.w3.org/SomeTransform"> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>Q52xy4a9289mvDl1up4sbEVU89x=</DigestValue> > </Reference> > > However in this case, suppose multiple documents (#SomeDocument1, > #SomeDocument2, etc.) were signed. And suppose there are multiple > transforms. How would it be clear which transforms apply to which > documents? Moreover, if you sign only the transforms, not the > transformed > data, then there's wiggle-room for the signer to try to claim that he > applied the transform differently than the verifier (suppose the > transform > references time-sensitive data somehow). > > Also, what about in the case above, where the transform might not be a > stylesheet, but might be described algorithmically by a text document > referenced by a URI that may not even be a URL - i.e. there may > not be data > describing the transform that is signable. Even if there is, it may be a > human-readable document subject to revisions (which would invalidate a > signature), or it may be quite large, which would make signing/verifying > unwieldy, and in any case add a network dependency, since the > verifier will > only be able to verify the document as long as the site stays up. > > So I think signing data after it's transformed is much more in > accord with > how XML-DSIG was designed to work, and in the case where we want to sign > both human-readable and machine-readable views on some data, it's easiest > to do that with different ds:References, each applying whatever > transforms > are appropriate to the same underlying data. > > Trevor > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]