RE: In relation to DSS Action Item - 06-04-24-01 - C14N Note

["Hal Lockhart" <hlockhar@bea.com>]

Konrad,

Based on our last discussion, I propose the following description.

----

When an arbitrary XML document is inserted within another arbitrary XML
document, the problem of computing and correctly verifying a XML digital
signature over the original document becomes very complex and in fact
may not be possible in the most general case. Yet imbedding XML in this
way is a common feature of XML based communication protocols. If
spurious XML digital signature verification errors were to become
relatively common, the result might be a tendency to avoid the use of
XML digital signature entirely or worse still to assume errors were
always spurious and always ignore them.

It is well known that problems of spurious validation errors can occur
with XML Digital Signature due to the inclusion of different namespace
declarations under the signature than those included when the signature
was calculated. The Exclusive Canonicalization Algorithm was devised to
address this issue. 

However, during our work, the OASIS Digital Signature Services Technical
Committee has discovered that there seems to be no general mechanism for
referencing the imbedded document which guarantees the proper infoset
will be obtained in the general case.

If expressions (XPath-Expressions) inside XPath-Filters (or
XPath-Filters 2.0), XSLT etc.. used in the chain of transforms (i.e.
<ds:Reference>/<ds:Transforms>/<ds:Transform>) are used in a way so that
they may also refer to parts of the surrounding context, e.g. a
transport protocol, the output will be different depending on whether
the document is inside that context or not.

Such transformations walk up the XPath ancestor-axis or refer to
absolute parts that may be changed by processing and include or exclude
elements depending on the existence or values of attributes or elements
of the transport protocol. This will produce a validation error. 

As an alternative to the use of XPath, reference may be made to an Id
Attribute, however this method has its own attendant problems. For one
thing, the flat namespace of Id Attributes makes a duplicate and hence
ambiguous reference likely, especially when the documents in question
are large and generated by distinct software elements. Also the
insertion or removal of Id Attributes will break previously computed
signatures over the elements in question. Additionally, a number of
potential security attacks have been identified which may occur when
signature references to Id Attributes are used in particular ways.

A number of specifications have defined special purpose solutions to
this problem, but there sees to be no solution in the general case. The
means identified by the OASIS Digital Signature Services Technical
Committee to assure consistent behavior is "context free extraction"
of signed inline XML content as in section 3.3.2 Process Variant for
<InlineXML> 
<http://docs.oasis-open.org/dss/v1.0/oasis-dss-1.0-core-spec-cd-r4.pdf#p
age=22>.

---

Hal