W3C home > Mailing lists > Public > public-xmlsec@w3.org > July 2008

[ACTION-16] ... proposal regarding use of transform that has parameter for passing xml model

From: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
Date: Tue, 29 Jul 2008 16:51:12 +0200
Message-ID: <488F2E60.3000507@iaik.tugraz.at>
To: public-xmlsec@w3.org
Dear all,

Some steps that - taking a first quick approach - could be sufficient to
make sure an enveloping signature V2 may respect the following order for
streaming processing:

1. Algorithms
2. Data
3. DigestValues and SignatureValues

Here is a quickly drafted proposal about how this could be achieved
using the current XMLDSIG syntax:

* create a reference that points to the data (the first child of a
specific transform), the URI SHOULD be supplied for compatibility.

e.g. URI =
"#xmlns(ds=http://www.w3.org/2000/09/xmldsig#)xpointer(here()/ancestor::ds:Reference/ds:Transforms[1]/ds:Transform[1]/InlineXML[1]/child::node()[not(self::text())])"

* supply the data as a child of the first transform that is supposed to
be ignored by old applications and shall return the data contained as
its first child.

e.g. Algorithm="http://www.w3.org/2008/08/xmldsig#supply-data-transform"

* [optional] make sure it is not digested twice (ds:Reference Level &
ds:SignedInfoLevel, optional because the interpretation of conflicting
double digesting may be difficult in some legal frameworks)

e.g.
Algorithm="http://www.w3.org/2008/08/xml-exc-c14n12#SkipDataTransform"
(maybe use for forwards compatibility)

the only means we have for that is the ds:SignedInfo Level c14n, ...


Konrad

a draft example often says more than thousand words.

<Signature Id="MyStreamingEnvelopingSignature"
xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
    <CanonicalizationMethod
Algorithm="http://www.w3.org/2008/08/xml-exc-c14n12#SkipDataTransform"/>
    <SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
    <Reference
URI="#xmlns(ds=http://www.w3.org/2000/09/xmldsig#)xpointer(here()/ancestor::ds:Reference/ds:Transforms[1]/ds:Transform[1]/InlineXML[1]/child::node()[not(self::text())])">

      <Transforms>
        <Transform
Algorithm="http://www.w3.org/2008/08/xmldsig#supply-data-transform">
          <InlineXML xmlns="" xmlns:ds="" ... further undeclarations ...
xmlns:*=""><!-- no space allowed/interpreted here
--><MyData></MyData><!-- no space allowed/interpreted
 here --></InlineXML>
        </Transform>
      </Transforms>
      <DigestMethod
Algorithm="http://www.w3.org/2001/04//xmlenc/#/sha256/"/>
      <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK.../DigestValue>
    </Reference>
  </SignedInfo>
  <SignatureValue>...</SignatureValue>
  <KeyInfo>
    <KeyValue>
      <DSAKeyValue>
        <P>...</P><Q>...</Q><G>...</G><Y>...</Y>
      </DSAKeyValue>
    </KeyValue>
  </KeyInfo>
</Signature>


-- 
Konrad Lanz, IAIK/SIC - Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Tel: +43 316 873 5547
Fax: +43 316 873 5520
https://www.iaik.tugraz.at/aboutus/people/lanz
http://jce.iaik.tugraz.at

Certificate chain (including the EuroPKI root certificate):
https://europki.iaik.at/ca/europki-at/cert_download.htm




Received on Tuesday, 29 July 2008 14:51:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:54 GMT