[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Proposed change to the "signed information" transform expression
Hi all, In my current proposal for the digital signature transform expression of those nodes of a UBL instance that participate in the signature hash calculation, I have this expression: count(ancestor-or-self::sig:SignatureGroup | here()/ancestor::sig:SignatureGroup[1]) > count(ancestor-or-self::sig:SignatureGroup) ... which excludes everything under the ancestral <sig:SignatureGroup> element. This makes sense when there is only a single set of signatures. In UBL there is a chance there will be multiple signature groups (so far only for the Certificate Of Origin, but who knows what document in the future might have multiple signature groups?). Something came to mind this evening when writing my response to Oriol ... we need to change the above to instead exclude everything outside of <sig:SignatureInformation>: count(ancestor-or-self::sig:SignatureInformation | here()/ancestor::sig:SignatureInformation[1]) > count(ancestor-or-self::sig:SignatureInformation) ... in order to allow the *different* groups of signatures to have their signatures added in a random order. Since there is no business information inside of the <sig:SignatureInformation> element, there is nothing "unprotected" by making the proposed change above. Also, if we don't make the change, we end up "signing other signatures" which means that once this is done, the "other signatures" cannot be augmented or the just completed signature is invalid. So this is really a critically important change. This does not involve a schema change, but it does require an instance change to one of the sample instances. The documentation would also have to change in section 5.3. I can prepare a new ZIP for Jon at any time with this change, but I would like someone from the Security SC to confirm my suspicions above and endorse my proposed change (or tell me I'm mistaken!) as soon as possible. Thanks! And thank you for your patience with me as I better understand each day how this security stuff works ... I *think* I have a real handle on it now and feel this proposal is an important improvement. . . . . . . . . . . . Ken -- XSLT/XQuery training: after http://XMLPrague.cz 2011-03-28/04-01 Vote for your XML training: http://www.CraneSoftwrights.com/o/i/ Crane Softwrights Ltd. http://www.CraneSoftwrights.com/o/ G. Ken Holman mailto:gkholman@CraneSoftwrights.com Male Cancer Awareness Nov'07 http://www.CraneSoftwrights.com/o/bc Legal business disclaimers: http://www.CraneSoftwrights.com/legal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]