RE: [ubl-ndrsc] Digital Signatures

[Paul Thorpe <thorpe@oss.com>]

On Tue, 3 Jun 2003, Burcham, Bill wrote:

> I apologize for entering the conversation late, but are we talking about the
> document carrying a signature for itself?  
> 
> What was signed must be either preserved or described.  We describe (through
> canonicalization) in order to allow for certain changes to the source --
> such as elimination of comments, or rearranging of attributes.  The nature
> and degree of acceptable change is application-specific.  

The data signed must not have changed, or the signature will not pass
authentication.

> 
> Choosing the signature representation and algorithm described in the X.509
> certificate standard doesn't free us from this burden.  Regardless of
> algorithm and signature representation, these steps will happen:
> 
> 0. XML source document exists
> [1. optionally: XML is canonicalized]
> 2. digest algorithm is applied to some representation of the XML
> 3. the digest is digitally signed
> 4. the digest, and signature are stored back into the infoset (0)
> 
> What advice does X.509 provide for (1)?  What advice does it provide for
> (2).  It provides some advice for the format of (4) (DER encoded structures)
> -- but how is that represented back into XML (UBL)?

With X.509, it is not necessary to store the digest.  Only the signature
needs to be stored.  The "digest" is the DER encoding which can be
recreated from the data in the XML document.  Since DER is truely
canonical, the "digest" does not need to be kept.

> 
> The XML Digital Signature standard http://www.w3.org/TR/xmldsig-core/ and
> its companion specification, Canonical XML
> http://www.w3.org/TR/2001/REC-xml-c14n-20010315 prescribe solutions to 1,2,3
> and 4.  Furthermore, there are working implementations of XML Dsig both Free
> and commercial readily available.  

If you look XML Digital Signature, you will note that it uses X.509 (see
for example section 4.4.4).  The main difference is the overhead of
keeping the "digest".  Note that you still need to preserve the namespace
prefixes for Canonical XML.  I was pointing out that you can eliminate
this overhead by using X.509 signitures directly.  There are also free
toolkits (such as snacc) that handle DER encoding.

 > 
> My counterproposal, therefore, is to use XML Digital Signature... That is
> _if_ we need to do digital signatures at all :-)

If there is no authenication, who will trust the UBL documents outside of
their own organization.  The point of UBL is business to business communication,
right?

Paul

> 
> -----Original Message-----
> From: Paul Thorpe [mailto:thorpe@oss.com] 
> Sent: Tuesday, June 03, 2003 4:31 PM
> To: ubl-ndrsc@lists.oasis-open.org
> Subject: [ubl-ndrsc] Digital Signatures
> 
> 
> Hi,
> 
> In the last UBL NDRSC phone call I promised to send more information about
> the use of digital signatures in all UBL documents.  I agree with David
> Burdett that an optional field should be added to all UBL documents, but
> believe the industry standard X.509 based signatures should be used.  The
> reason I suggest this is that this does not require you to preserve binary
> content of what was signed.  Anyone who wishes to authenticate the signature
> can recreate that binary content when they need to do the authentication
> since DER (Distinguished Encoding Rules) is truely canonical (has exactly
> one way of encoding any given message).
> 
> Note that even Canonical-XML requires you to preserve the namespace prefixes
> that were in the XML tags, so you would really need to preserve the complete
> XML document (tags with prefixes and all) along with the signature in order
> to authenticate it if you directly sign the XML document.
> 
> By making the field optional, no one is required to use the digital
> signatures, but can if they wish to.
> 
> This optional signature field should placed in the schema immediately before
> or after the global element whose contents need authentication.
> 
> ----------------------------------------------------------------------------
> Paul E. Thorpe                                 Toll Free    : 1-888-OSS-ASN1
> OSS Nokalva                                    International: 1-732-302-0750
> Email: thorpe@oss.com                          Tech Support : 1-732-302-9669
> http://www.oss.com                             Fax          : 1-732-302-0023
> 
> 
> 
> You may leave a Technical Committee at any time by visiting
> http://www.oasis-open.org/apps/org/workgroup/ubl-ndrsc/members/leave_workgro
> up.php
>