RE: [ubl-ndrsc] Digital Signatures

["Burcham, Bill" <Bill_Burcham@stercomm.com>]

(reply inline as <BILLB1/>)

-----Original Message-----
From: Paul Thorpe [mailto:thorpe@oss.com] 
Sent: Tuesday, June 03, 2003 10:19 PM
To: Burcham, Bill
Cc: ubl-ndrsc@lists.oasis-open.org
Subject: RE: [ubl-ndrsc] Digital Signatures


<<munch>>

On Tue, 3 Jun 2003, Burcham, Bill wrote:
> Choosing the signature representation and algorithm described in the 
> X.509 certificate standard doesn't free us from this burden.  
> Regardless of algorithm and signature representation, these steps will 
> happen:
> 
> 0. XML source document exists
> [1. optionally: XML is canonicalized]
> 2. digest algorithm is applied to some representation of the XML 3. 
> the digest is digitally signed 4. the digest, and signature are stored 
> back into the infoset (0)
> 
> What advice does X.509 provide for (1)?  What advice does it provide 
> for (2).  It provides some advice for the format of (4) (DER encoded 
> structures)
> -- but how is that represented back into XML (UBL)?

With X.509, it is not necessary to store the digest.  Only the signature
needs to be stored.  The "digest" is the DER encoding which can be recreated
from the data in the XML document.  

<BILLB1>
Yes, and what is the process by which that DER encoding is recreated from
the XML document.  A) a canonicalization transformation is useful in
practice, followed by b) a process (production rules) for turning the XML
into DER is executed.  A and B are described by the XML Digital Signature
specification.
</BILLB1>

Since DER is truely canonical, the "digest" does not need to be kept.

<BILLB1>
Interesting point Paul. I didn't know that.  But, the whole point of a
digest is that it's fairly small (fixed size).  It wouldn't make sense to
throw out the Dsig specification just to save those bytes.
</BILLB>

<<munch>>