OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

regrep-security message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [regrep-security] FW: [ebxml-msg] XMLDSIG and v1.05 comments

The line numbers are for the ebXML MS spec.
I don't think it is terribly important for us.
(We have similar problems in our spec - read
the other spec only as an example)
In any case, I am attaching that spec

-----Original Message-----
From: Sekhar Vajjhala - Sun Microsystems
Sent: Thursday, October 25, 2001 9:01 AM
To: Damodaran, Suresh
Cc: 'regrep-security@lists.oasis-open.org'
Subject: Re: [regrep-security] FW: [ebxml-msg] XMLDSIG and v1.05


I can't match the line numbers with the XMLDSIG usage documents
that were posted. There is no line number in the 1088 in the
pdf document for "Use of XML DSIG in ebXML Registry" document.

Which document are you looking at ? Can you please email
me a copy of that document ?



"Damodaran, Suresh" wrote:
> Sekhar,
> FYI: My comments on ebXML MSG use of xmldsig
> and response from the editor. I am reposting because
> these would be relevant to our work on Registry xmldsig.
> Cheers,
> -Suresh
> -----Original Message-----
> From: David Fischer [mailto:david@drummondgroup.com]
> Sent: Tuesday, October 23, 2001 2:24 PM
> To: Damodaran, Suresh; ebxml-msg@lists.oasis-open.org
> Subject: RE: [ebxml-msg] XMLDSIG and v1.05 comments
> I agree on items 1-5 (some of them are REQUIRED).  Since no one has
> commented, I
> will make these changes.  (Comments anyone?)
> I can see some benefits to item 6 (use of the ds:Signature/Manifest) but I
> am
> concerned that it will cause systems not to be Interoperable if some
> do
> this and some don't.  Anyone have thoughts?
> Regards,
> David Fischer
> Drummond Group.
> P.S.  Mr. Burdett, would you mind capturing these in the change DB?
> -----Original Message-----
> From: Damodaran, Suresh [mailto:Suresh_Damodaran@stercomm.com]
> Sent: Friday, October 19, 2001 3:44 PM
> To: 'ebxml-msg@lists.oasis-open.org'
> Subject: [ebxml-msg] XMLDSIG and v1.05 comments
> I have some comments and change proposals on Section 4.1.3 Signature
> Generation
> 1. Line 1088 suggests that ds:CanonicalizationMethod element is optional
> in ds:SignedInfo. I don't believe it is true. Section 4.3.1 of XMLDSIG
> [1]
> states that "CanonicalizationMethod is a required element that specifies
> canonicalization algorithm
> applied to the SignedInfo element...". Therefore, I propose we restate the
> sentence
> with a "MUST." Para starting 1090 needs to be rewritten too.
> 2. I also propose we provide a RECOMMENDED algorithm for
> CanonicalizationMethod as
> http://www.w3.org/TR/2001/REC-xml-c14n-20010315 (this one omits comments)
> e.g.,
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> 3. Sentence on line 1100 says that the signature is calculated over the
> Header. I would argue that the signature be calculated over
> SOAP-ENV:Envelope instead of SOAP-ENV:Header. This would include the
> <eb:Manifest> in the SOAP-ENV:Body. Why is this needed? It is possible
> ds:Signature element is eliminated from the message after signature
> validation is done. Beyond that point, the application would look at
> eb:Manifest to locate the resources. Therefore, the integrity of
> element is important. The change from SOAP Header to SOAP Envelope needs
> be made in the whole section.
> 4. Line 1107 talks about the ds:Transform elements. I propose we add
> REQUIRED ds:Transform
> element
> <ds:Transform
> for the SOAP Envelope after the "enveloped-signature" transform. This new
> transform will make sure the SOAP envelope is canonicalized before signed.
> 5. Line 1120 suggests that URI attribute need not match the manifest
> reference. I don't know what purpose this serves. I propose we delete
> "However, this is NOT REQUIRED"
> 6. Line 1103: The Type attribute is optional according to the spec. Note
> that if the reference type is
> not manifest [http://www.w3.org/TR/xmldsig-core/#sec-Manifest]  the
> reference (i.e., payload) is required to be
> validated as per XMLDSIG. We may want to give more control to the
> application on validation. Therefore, mention of the manifest Type would
> good. The manifest itself is an ds:Object which is an element of
> ds:Signature. I propose we REQUIRE the type attribute for the Reference
> element of SOAP Envelope with a value of either
> http://www.w3.org/2000/09/xmldsig#Object or
> http://www.w3.org/2000/09/xmldsig#Manifest.
> ----------------------------------------
> [1] XML-Signature Syntax and Processing - W3C Proposed Recommendation
> http://www.w3.org/TR/xmldsig-core/
> Cheers,
> -Suresh
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC