W3C home > Mailing lists > Public > public-xmlsec@w3.org > November 2008

[ACTION-98] Part-I: Requirement to sign derived data

From: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
Date: Tue, 04 Nov 2008 16:09:39 +0100
Message-ID: <491065B3.7030108@iaik.tugraz.at>
To: XMLSec WG Public List <public-xmlsec@w3.org>
Dear fellow XML-Sec members,

> Draft database certificate use case and requirements for document,
> share on mail list

Let me first state more precisely that the requirement for XML
Signatures to be able to secure derived data is not only limited to data
derived from a database.

Rationale: The rational for requiring XML Signature applications to
remain (at least optionally) supporting standard XML transformations,
like stylesheet (XSL) is to have a deployed capability for securing
derived data. This data can either be retrieved from a data base or
larger xml documents and is to be transformed into human readable
formats such as HTML, XHTML, plain test or PDF.

cf. http://www.w3.org/TR/xmldsig-core/#sec-Seen
> If signing is intended to convey the judgment or consent of a user
> (an automated mechanism or person), then it is normally necessary to
> secure as exactly as practical the information that was presented to
> that user. Note that this can be accomplished by literally signing
> what was presented, such as the screen images shown a user. However,
> this may result in data which is difficult for subsequent software to
> manipulate. Instead, one can sign the data along with whatever
> filters, style sheets, client profile or other information that
> affects its presentation.


1. Requirement: XML Signatures should be able to secure derived data.
The chain of transforms is supposed to be secured by the signature
itself and shall express the derivation as reproducible processing to
retrieve the actually secured data (the digest input), which is to be
presented to the user.

cf.: http://www.w3.org/TR/xmldsig-core/#sec-See :
> the transformed document that should be represented to the user and
> signed

As concerns about the trustworthiness and the impracticably and high
costs of inspecting and analyzing stylesheets have been raised:

2. Requirement: The ds:SignatureValue and the ds:SignedInfo shall be
verified before the ds:Reference elements. Hence only signed
ds:Transforms will be executed.
Stylesheets referred to via xsl:include or xsl:import will have to be
referred to by a ds:Reference previous to the ds:Reference in question
(the one including/importing the other stylesheets).

3. Requirement: XML Signature Spect should require implementations to
prominently allow to access the digest input.

4. Requirement: Requirements 1. to 3. should not prevent a profile or
new markup to clearly designate constrained transforms allowing for
streaming processing, potentially including constrained stylesheets.

Konrad


Received on Tuesday, 4 November 2008 15:11:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:55 GMT