[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ubl-ndrsc] Digital Signatures
I apologize for entering the conversation late, but are we talking about the document carrying a signature for itself? What was signed must be either preserved or described. We describe (through canonicalization) in order to allow for certain changes to the source -- such as elimination of comments, or rearranging of attributes. The nature and degree of acceptable change is application-specific. Choosing the signature representation and algorithm described in the X.509 certificate standard doesn't free us from this burden. Regardless of algorithm and signature representation, these steps will happen: 0. XML source document exists [1. optionally: XML is canonicalized] 2. digest algorithm is applied to some representation of the XML 3. the digest is digitally signed 4. the digest, and signature are stored back into the infoset (0) What advice does X.509 provide for (1)? What advice does it provide for (2). It provides some advice for the format of (4) (DER encoded structures) -- but how is that represented back into XML (UBL)? The XML Digital Signature standard http://www.w3.org/TR/xmldsig-core/ and its companion specification, Canonical XML http://www.w3.org/TR/2001/REC-xml-c14n-20010315 prescribe solutions to 1,2,3 and 4. Furthermore, there are working implementations of XML Dsig both Free and commercial readily available. My counterproposal, therefore, is to use XML Digital Signature... That is _if_ we need to do digital signatures at all :-) -----Original Message----- From: Paul Thorpe [mailto:thorpe@oss.com] Sent: Tuesday, June 03, 2003 4:31 PM To: ubl-ndrsc@lists.oasis-open.org Subject: [ubl-ndrsc] Digital Signatures Hi, In the last UBL NDRSC phone call I promised to send more information about the use of digital signatures in all UBL documents. I agree with David Burdett that an optional field should be added to all UBL documents, but believe the industry standard X.509 based signatures should be used. The reason I suggest this is that this does not require you to preserve binary content of what was signed. Anyone who wishes to authenticate the signature can recreate that binary content when they need to do the authentication since DER (Distinguished Encoding Rules) is truely canonical (has exactly one way of encoding any given message). Note that even Canonical-XML requires you to preserve the namespace prefixes that were in the XML tags, so you would really need to preserve the complete XML document (tags with prefixes and all) along with the signature in order to authenticate it if you directly sign the XML document. By making the field optional, no one is required to use the digital signatures, but can if they wish to. This optional signature field should placed in the schema immediately before or after the global element whose contents need authentication. ---------------------------------------------------------------------------- Paul E. Thorpe Toll Free : 1-888-OSS-ASN1 OSS Nokalva International: 1-732-302-0750 Email: thorpe@oss.com Tech Support : 1-732-302-9669 http://www.oss.com Fax : 1-732-302-0023 You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/ubl-ndrsc/members/leave_workgro up.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]