[ACTION-16] ... proposal regarding use of transform that has parameter for passing xml model from Konrad Lanz on 2008-07-29 (public-xmlsec-maintwg@w3.org from July 2008)

From: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
Date: Tue, 29 Jul 2008 16:23:51 +0200
To: XMLSec <public-xmlsec-maintwg@w3.org>
Message-ID: <488F27F7.6060005@iaik.tugraz.at>

Dear all,

Some steps that - taking a first quick approach - could be sufficient to
make sure an enveloping signature V2 may respect the following order for
streaming processing:

1. Algorithms
2. Data
3. DigestValues and SignatureValues

Here is a quickly drafted proposal about how this could be achieved
using the current XMLDSIG syntax:

* create a reference that points to the data (the first child of a
specific transform), the URI SHOULD be supplied for compatibility.

e.g. URI = "#xmlns(ds=http://www.w3.org/2000/09/xmldsig#)xpointer(here()/ancestor::ds:Reference/ds:Transforms[1]/ds:Transform[1]/InlineXML[1]/child::node()[not(self::text())])"

* supply the data as a child of the first transform that is supposed to
be ignored by old applications and shall return the data contained as
its first child.

e.g. Algorithm="http://www.w3.org/2008/08/xmldsig#supply-data-transform"

* [optional] make sure it is not digested twice (ds:Reference Level &
ds:SignedInfoLevel, optional because the interpretation of conflicting
double digesting may be difficult in some legal frameworks)

e.g. Algorithm="http://www.w3.org/2008/08/xml-exc-c14n12#SkipDataTransform" (maybe use for forwards compatibility)

the only means we have for that is the ds:SignedInfo Level c14n, ...


Konrad

a draft example often says more than thousand words.

<Signature Id="MyStreamingEnvelopingSignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> 
  <SignedInfo> 
    <CanonicalizationMethod Algorithm="http://www.w3.org/2008/08/xml-exc-c14n12#SkipDataTransform"/> 
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> 
    <Reference URI="#xmlns(ds=http://www.w3.org/2000/09/xmldsig#)xpointer(here()/ancestor::ds:Reference/ds:Transforms[1]/ds:Transform[1]/InlineXML[1]/child::node()[not(self::text())])"> 
      <Transforms>
        <Transform Algorithm="http://www.w3.org/2008/08/xmldsig#supply-data-transform">
          <InlineXML xmlns="" xmlns:ds="" ... further undeclarations ... xmlns:*=""><!-- no space allowed/interpreted here --><MyData></MyData><!-- no space allowed/interpreted
 here --></InlineXML>
        </Transform>
      </Transforms> 
      <DigestMethod Algorithm="http://www.w3.org/2001/04//xmlenc/#/sha256/"/> 
      <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK.../DigestValue> 
    </Reference> 
  </SignedInfo> 
  <SignatureValue>...</SignatureValue> 
  <KeyInfo> 
    <KeyValue>
      <DSAKeyValue> 
        <P>...</P><Q>...</Q><G>...</G><Y>...</Y> 
      </DSAKeyValue> 
    </KeyValue> 
  </KeyInfo> 
</Signature>


-- 
Konrad Lanz, IAIK/SIC - Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Tel: +43 316 873 5547
Fax: +43 316 873 5520
https://www.iaik.tugraz.at/aboutus/people/lanz
http://jce.iaik.tugraz.at

Certificate chain (including the EuroPKI root certificate):
https://europki.iaik.at/ca/europki-at/cert_download.htm

Received on Tuesday, 29 July 2008 14:24:37 UTC