OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

regrep-security message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [regrep-security] FW: [ebxml-msg] XMLDSIG and v1.05 comments

Conformant XMLDSIG implementations are only required to support
Canonical XML (Omit Comments). Canonical XML with  Comments is
only a RECOMMENDATION.  Here is the execerpt from 
Section 6.1 of XMLDSIG spec ( Aug 20, 2001 - Recommendation Status)

    http://www.w3.org/TR/2001/PR-xmldsig-core-20010820/

    1.Required Canonical XML (omits comments)
      http://www.w3.org/TR/2001/REC-xml-c14n-20010315 
    2.Recommended Canonical XML with Comments
      http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments 

So I think only the C14N OMIT Comments should be a requirement - to
lower the barrier for conformance.

Sekhar


Christopher Ferris wrote:
> 
> Suresh,
> 
> Some comments/responses below.
> 
> Cheers,
> 
> Chris
> 
> Damodaran, Suresh wrote:
> 
> > Sekhar,
> >
> > FYI: My comments on ebXML MSG use of xmldsig
> > and response from the editor. I am reposting because
> > these would be relevant to our work on Registry xmldsig.
> >
> > Cheers,
> > -Suresh
> >
> > -----Original Message-----
> > From: David Fischer [mailto:david@drummondgroup.com]
> > Sent: Tuesday, October 23, 2001 2:24 PM
> > To: Damodaran, Suresh; ebxml-msg@lists.oasis-open.org
> > Subject: RE: [ebxml-msg] XMLDSIG and v1.05 comments
> >
> >
> > I agree on items 1-5 (some of them are REQUIRED).  Since no one has
> > commented, I
> > will make these changes.  (Comments anyone?)
> >
> > I can see some benefits to item 6 (use of the ds:Signature/Manifest) but I
> > am
> > concerned that it will cause systems not to be Interoperable if some systems
> > do
> > this and some don't.  Anyone have thoughts?
> >
> > Regards,
> >
> > David Fischer
> > Drummond Group.
> >
> > P.S.  Mr. Burdett, would you mind capturing these in the change DB?
> >
> > -----Original Message-----
> > From: Damodaran, Suresh [mailto:Suresh_Damodaran@stercomm.com]
> > Sent: Friday, October 19, 2001 3:44 PM
> > To: 'ebxml-msg@lists.oasis-open.org'
> > Subject: [ebxml-msg] XMLDSIG and v1.05 comments
> >
> >
> >
> > I have some comments and change proposals on Section 4.1.3 Signature
> > Generation
> >
> > 1. Line 1088 suggests that ds:CanonicalizationMethod element is optional
> > in ds:SignedInfo. I don't believe it is true. Section 4.3.1 of XMLDSIG spec
> > [1]
> > states that "CanonicalizationMethod is a required element that specifies the
> > canonicalization algorithm
> > applied to the SignedInfo element...". Therefore, I propose we restate the
> > sentence
> > with a "MUST." Para starting 1090 needs to be rewritten too.
> 
> I agree. I think that what happened here is that the intent was to say that
> the choice of C14N algorithm was optional (up to the parties to
> agree upon). Clearly, the element is REQUIRED.
> 
> >
> > 2. I also propose we provide a RECOMMENDED algorithm for
> > CanonicalizationMethod as
> > http://www.w3.org/TR/2001/REC-xml-c14n-20010315 (this one omits comments)
> > e.g.,
> > <ds:CanonicalizationMethod
> > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> 
> That would be fine, but some consideration should be given to
> providing guidance as to what implications there might be in
> excluding comments. It may be that the comments are significant...
> Both the with and without comments algorithms are REQUIRED to be
> supported by conformant XMLDSig implementations, so either
> should be acceptable.
> 
> > 3. Sentence on line 1100 says that the signature is calculated over the SOAP
> > Header. I would argue that the signature be calculated over
> > SOAP-ENV:Envelope instead of SOAP-ENV:Header. This would include the
> > <eb:Manifest> in the SOAP-ENV:Body. Why is this needed? It is possible that
> > ds:Signature element is eliminated from the message after signature
> > validation is done. Beyond that point, the application would look at
> > eb:Manifest to locate the resources. Therefore, the integrity of eb:Manifest
> > element is important. The change from SOAP Header to SOAP Envelope needs to
> > be made in the whole section.
> > 4. Line 1107 talks about the ds:Transform elements. I propose we add another
> > REQUIRED ds:Transform
> > element
> > <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> > for the SOAP Envelope after the "enveloped-signature" transform. This new
> > transform will make sure the SOAP envelope is canonicalized before signed.
> 
> I don't believe that this is necesary. It is redundant is it not?
> 
> > 5. Line 1120 suggests that URI attribute need not match the manifest
> > reference. I don't know what purpose this serves. I propose we delete
> > "However, this is NOT REQUIRED"
> > 6. Line 1103: The Type attribute is optional according to the spec. Note
> > that if the reference type is
> > not manifest [http://www.w3.org/TR/xmldsig-core/#sec-Manifest]  the
> > reference (i.e., payload) is required to be
> > validated as per XMLDSIG. We may want to give more control to the
> > application on validation. Therefore, mention of the manifest Type would be
> > good. The manifest itself is an ds:Object which is an element of
> > ds:Signature. I propose we REQUIRE the type attribute for the Reference
> > element of SOAP Envelope with a value of either
> > http://www.w3.org/2000/09/xmldsig#Object or
> > http://www.w3.org/2000/09/xmldsig#Manifest.
> 
> I'm not sure I agree. I don't think that you want to give this
> level of control to the application. The purpose of the signature
> is to provide for integrity of the message. If the signature validation
> fails, it means that the message may have been tampered with in transit.
> 
> > ----------------------------------------------------------------------------
> > ----------------------------------------
> > [1] XML-Signature Syntax and Processing - W3C Proposed Recommendation
> > http://www.w3.org/TR/xmldsig-core/
> >
> >
> > Cheers,
> > -Suresh
> >
> >
> > ----------------------------------------------------------------
> > To subscribe or unsubscribe from this elist use the subscription
> > manager: <http://lists.oasis-open.org/ob/adm.pl>
> >
> > ----------------------------------------------------------------
> > To subscribe or unsubscribe from this elist use the subscription
> > manager: <http://lists.oasis-open.org/ob/adm.pl>
> >
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

-- 
Sekhar

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC