[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ubl-lcsc] [QA-0p70] Digital Signature Comment
Folks: I hate to bring this up again, but this is exactly the kinf of issue being addressed by the UN/CEFACT "Generic Header" project. (Need to preserve envelope information when document itself is processed.) Is there any alignment between various groups worth pursuing here? Cheers, Arofan -----Original Message----- From: Eve L. Maler [mailto:eve.maler@sun.com] Sent: Friday, April 11, 2003 11:40 AM To: Lisa Seaburg Cc: Ubl-Lcsc Subject: Re: [ubl-lcsc] [QA-0p70] Digital Signature Comment I agree with David's comment. If you rely on digital signing only at the message envelope layer, then the payload becomes dependent on having the message layer around when the latter would otherwise have been discarded. An example of including the relevant XML Signature elements can be found in the SAML specification: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security See in particular the "core" specification and the schema modules: http://www.oasis-open.org/committees/download.php/1371/oasis-sstc-saml-core- 1.0.pdf http://www.oasis-open.org/committees/download.php/1376/oasis-sstc-saml-schem a-assertion-1.0.xsd http://www.oasis-open.org/committees/download.php/1377/oasis-sstc-saml-schem a-protocol-1.0.xsd ...though note that the SAML group is in the process of further tightening and expanding its usage of XML Signature. One thing we learned is that it's immensely useful to put ID attributes on the elements that are likely signing targets, as it's too expensive to use a more complicated XPath to refer to these elements. Eve Lisa Seaburg wrote: > Eve, > One of the comments on 0p70 is from David Burdett and goes into digital > signatures. We (the QA Team) would like your feedback on this one. Is > this out of scope, should this be discussed at the Face to Face? > > Lisa > > David's comment: > > "UBL documents cannot be digitally signed directly." > > His proposed solutions: > > "Add an optional XML Dsig element to the root of each document and > guidelines on how it should be used. > Often the authenticity of a UBL document will need to be determined > using cryptographic techniques. One way of doing this is to sign the > document together with the envelope in which it is contained as, for > example, ebXML Messaging provides [1]. However, this means that you HAVE > to keep the message around in order to later prove authenticity when the > message is being processed. This adds to complexity and only works if > messaging protocols such as ebXML Messaging are being used. > A better alternative is to include an XML DSig digital signature [2] > element as an *optional* element at the root level of every UBL > document. I would also recommend that a guideline is provided that > describes how XML digital signatures should be used inside a UBL > document in order to improve interoperability. > [1] ebXML Messaging specifications, > http://www.oasis-open.org/committees/ebxml-msg/#documents > [2] W3C XML Digital Signature Specification, > http://www.w3.org/TR/xmldsig-core/ > QA Team recognized importance of this area. Security was out of scope > for 0p70, but will be taken up at F2F." -- Eve Maler +1 781 442 3190 Sun Microsystems cell +1 781 354 9441 Web Technologies and Standards eve.maler @ sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]