W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 1999

Re: Schema/DTD represented in sig?

From: Winchel 'Todd' Vincent, III <Winchel@mindspring.com>
Date: Thu, 24 Jun 1999 15:15:53 -0400
Message-ID: <005401bebe75$fa860210$919f6083@gsu.edu>
To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
>From: Ralph R. Swick <swick@w3.org> Sent: Wednesday, June 23, 1999 4:36 PM
>
> The specific point at issue here is whether changes to a document's
> "defining document"; i.e. today its XML DTD, tomorrow its XML Schema,
> can alter the interpretation of a document.  If changes can alter
> the intended application interpretation, then the signature process
> must explicitly account for this in some manner.
>
> One could certainly include this case in the generalization to any
> object that is external to the signed document but I suspect that
> the DTD or XML Schema is sufficiently important to warrant explicit
> treatment in the signature specification.

> From: Bugbee, Larry Wednesday, June 16, 1999 3:03 PM
>
>   1. If person A signs a portion of a document and it is
>      altered and signed by B, will you be able to later
>      know what A signed?

The following is both a legal perspective and a technical/policy solution
for the above issue(s):

The law generally requires an "original" to be introduced into evidence.
Anything but an "original" has historically not been considered credible
evidence.  As modern devices, such as copiers, have made it cheap and easy
to duplicate "originals" in a way that does not materially alter their
credibility, the general rule has relaxed.

So, for instance, Federal Rule of Evidence 1002 states:

RULE 1002. REQUIREMENT OF ORIGINAL
To prove the content of a writing, recording, or photograph, the original
writing, recording, or photograph is required, except as otherwise provided
in these rules or by Congress.

However, Federal Rule of Evidence 1003 relaxes this rule by stating:

RULE 1003. ADMISSIBILITY OF DUPLICATES
A duplicate is admissible to the same extent as an original unless (1) a
genuine question is raised as to the authenticity of the original or (2) in
the circumstances it would be unfair to admit the duplicate in lieu of the
original.

The problem with electronic records is that they are easily and ubiquitously
copied and easily and very often undetectably altered.

Applying a digital signature to an electronic record does not solve the
copying problem, but it does help us to know whether a document has been
altered.

The problem that Ralph correctly points out (which is related to the
question we discussed at the Workshop -- how far do you follow a link and do
you expand entities) is that if you refer to another "object" (such as a
schema definition) for the meaning of your mark-up, then you have changed
the meaning of your document.

So, while the digital signature give us pretty good assurance that the bits
and bytes have not been altered, this assurance is not exactly what we're
after -- what we really want is to make sure the meaning has not changed --
i.e., that we have credible evidence.

The solution to the problem is technical but ultimately rests on policy --
it combines a mixture of either unique OIDs or URIs and reliable time
stamps.

If Document A relies upon its meaning from Schema B, then if Schema B
changes, then so does the meaning of Document A.  (This is Ralph's problem.)

The solution to this problem is to make Schema B unambiguous and set the
unambiguity in time.

To make Schema B unambiguous, I either give it unique OID or a URI. (Note,
this is a matter of policy.) (Also, I don't care whether you use an OID or a
URI, as long as the reference is unique and will reliably remain unique).

Once Schema B is unambiguous, you must make sure that it does not change
over time.  If OID #1001 (or URI http://www.w3.org/SchemaB/) references
Schema B Version 1, then we haven't solved the problem if/when Schema B
changes to Version 2.  Version 2 will change the meaning of Document A if
document A refers to it wit the same OID/URI.

Relying on authors to correctly state versions numbers is OK, but to really
feel safe we probably want to timestamp Schema B, Version 1 with a reliable
timestamp.  In this way, we can fix the meaning in time, a very safe
solution until someone invents a time machine.  (Of course, determining a
reliable source for a timestamp is also a matter of policy.)

In a conversation with Barbra Fox at the W3C Signed XML workshop, she told
me that application developers are largely ignoring OIDs.  I was very
surprised to find that the Namespace Recommendation did not require URI to
be unique.

Allow me to switch back to the law:

Although modern statutes have changed this requirement, to have legal title
in property, the chain of title for property must be traced back from owner,
to owner, to owner until you arrive a the sovereign -- the only "power" that
has the authority to grant ownership is someone other than the State.

Back to technology:

Technology faces the same problem.  I'm less a technologist that anyone on
this list, but I've seen in it certificate chains.  I see it policy
statements about implemented technology.  We face the same problem here --
somehow you have to find the root authority or, in our case, the meaning of
the object you are referencing.  The only way I can figure to do this is
with a combination of unique object identifiers and time stamps.

Todd Vincent (not Glassy, but you might not know it from the above . . . :-)
Received on Thursday, 24 June 1999 15:13:28 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:06 GMT