OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ubl-ndrsc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [ubl-ndrsc] Digital Signatures

I apologize for entering the conversation late, but are we talking about the
document carrying a signature for itself?  

What was signed must be either preserved or described.  We describe (through
canonicalization) in order to allow for certain changes to the source --
such as elimination of comments, or rearranging of attributes.  The nature
and degree of acceptable change is application-specific.  

Choosing the signature representation and algorithm described in the X.509
certificate standard doesn't free us from this burden.  Regardless of
algorithm and signature representation, these steps will happen:

0. XML source document exists
[1. optionally: XML is canonicalized]
2. digest algorithm is applied to some representation of the XML
3. the digest is digitally signed
4. the digest, and signature are stored back into the infoset (0)

What advice does X.509 provide for (1)?  What advice does it provide for
(2).  It provides some advice for the format of (4) (DER encoded structures)
-- but how is that represented back into XML (UBL)?

The XML Digital Signature standard http://www.w3.org/TR/xmldsig-core/ and
its companion specification, Canonical XML
http://www.w3.org/TR/2001/REC-xml-c14n-20010315 prescribe solutions to 1,2,3
and 4.  Furthermore, there are working implementations of XML Dsig both Free
and commercial readily available.  

My counterproposal, therefore, is to use XML Digital Signature... That is
_if_ we need to do digital signatures at all :-)

-----Original Message-----
From: Paul Thorpe [mailto:thorpe@oss.com] 
Sent: Tuesday, June 03, 2003 4:31 PM
To: ubl-ndrsc@lists.oasis-open.org
Subject: [ubl-ndrsc] Digital Signatures


In the last UBL NDRSC phone call I promised to send more information about
the use of digital signatures in all UBL documents.  I agree with David
Burdett that an optional field should be added to all UBL documents, but
believe the industry standard X.509 based signatures should be used.  The
reason I suggest this is that this does not require you to preserve binary
content of what was signed.  Anyone who wishes to authenticate the signature
can recreate that binary content when they need to do the authentication
since DER (Distinguished Encoding Rules) is truely canonical (has exactly
one way of encoding any given message).

Note that even Canonical-XML requires you to preserve the namespace prefixes
that were in the XML tags, so you would really need to preserve the complete
XML document (tags with prefixes and all) along with the signature in order
to authenticate it if you directly sign the XML document.

By making the field optional, no one is required to use the digital
signatures, but can if they wish to.

This optional signature field should placed in the schema immediately before
or after the global element whose contents need authentication.

Paul E. Thorpe                                 Toll Free    : 1-888-OSS-ASN1
OSS Nokalva                                    International: 1-732-302-0750
Email: thorpe@oss.com                          Tech Support : 1-732-302-9669
http://www.oss.com                             Fax          : 1-732-302-0023

You may leave a Technical Committee at any time by visiting

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]