Re: [election-services] FW: XML digital signatures et al

[David Webber <david.webber@oracle.com>]

John,

It appears helpful in just validating that none of these things should apply to election implementations!

These all appear operational considerations relative to dSig - vis avoiding theoretical potential aspects assuming an open system - rather than good practices per say.

In our case we are not talking about open systems - they are all closed - inspected and tested - so you are not receiving content from random unknown sources

using random unknown software.

A bit troubling - you wonder how much validation this all had -

 For signers and verifiers: Be aware of schema procesisng

Mayhem may be out there - but he should not have unfettered access to your election systems!

My assessment - good to note these could occur - but simply say these appear out of bounds WRT election systems.

DW

----- Original Message -----
From: johnaborras@yahoo.co.uk
To: election-services@lists.oasis-open.org
Sent: Thursday, July 21, 2011 3:29:40 AM GMT -05:00 US/Canada Eastern
Subject: [election-services] FW: XML digital signatures et al

Does anyone have any views on this document and thoughts about how we might use it to support EML?

 

John

 

From: stds-1622@ieee.org [mailto:stds-1622@ieee.org] On Behalf Of Wack, John
Sent: 20 July 2011 21:31
To: David RR Webber (XML)
Cc: stds-1622@LISTSERV.IEEE.ORG
Subject: RE: XML digital signatures et al

 

Here is a link to an informative document about best practices for XML signatures - looks like it could be useful in formulating some guidance for OASIS:

 

h! ttp://www.w3.org/TR/xmldsig-bestpractices/

 

Cheers, John

 

---

From: David RR Webber (XML) [david@drrw.info]
! Sent: Friday, July 15, 2011 2:48 PM
To: Wack, John
Cc: stds-1622@LISTSERV.IEEE.ORG
Subject: RE: XML digital signatures et al

John,

 

This document looks most helpful - and could be adapted to form the basis for guidelines on DSig use for CDF.  The interesting thing next would be to understand impact assessment in terms of how readily these requirements could be met in fielded solutions going forward?

 

Thanks, DW

-------- Original Message --------
Subject: XML digital signatures et al
From: "Wack, John" <john.wack@NIST.GOV>
Date: Fri, July 15, 2011 2:33 pm
To: "stds-1622@LISTSERV.IEEE.ORG" <s! tds-1622@LISTSERV.IEEE.ORG>

Hi folks,

 

I want to call your attention to a draft document put out by a colleague in the computer security division that is very much of interest to us – it deals directly with the security of XML files.  I am excerpting the announcement of the document below and attaching it to this email.  We could discuss aspects of this document on the next call as desired.

 

Have a good weekend, John

 

Draft NIST Interagency Report (IR) 7802, Trust Model for Security Automation Data (TMSAD) Version 1.0 is available for public comment
July 13, 2011 
 
NIST announces the public comment release of draft Interagency Report (IR) 7802, Trust Model for Security Automation Data (TMSAD) Version 1.0. This report defines the initial specification for version 1.0 of the Trust Model for Security Automation Data (TMSAD), which is designed to permit organizations to establish integrity, authentication, and traceability for security automation data. The trust model focuses on using digital signatures with Extensible Markup Language (XML) based security automation source and result documents. TMSAD supports the Security Content Automation Protocol (SCAP) version 1.2. 
 
NIST requests comments on draft IR 7802 by August 1, 2011. Please submit comments to ir7802comments@nist.gov with "Comments IR 7802" in the subject line.

 

 

--

John P. Wack

john.wack@nist.gov

301.975.3411

NOTE: I ! use voice recognition for composing email, which sometimes produc es wrong words that I don't catch.