W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 1999

Re: Suggested Security Considerations Section

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Wed, 13 Oct 1999 15:52:36 -0400
Message-Id: <>
To: dee3@us.ibm.com
Cc: w3c-ietf-xmldsig@w3.org
At 23:47 99/10/12 -0400, dee3@us.ibm.com wrote:
 >Only What is Signed is Secure
 >The flexible Transformations mechanism, including canonicalization and
 >filtering and extraction, permit securing only a subset of data in an
 >This is good for many applications where a limited portion of an object
 >change after the signature or different signatures secure different parts
or the
 >application modifies aspects of the object that are not significant and
can be
 >omitted from signature coverage or the like.   Keep in mind that whenever
 >is done, those aspects that are not signed can be arbitrarily modified and
 >signature will still validate.

Given this section is called "transformations" for good reason, I'm
concerned about the reliance upon "subset of data". How about something like:

The Transformations mechanism permits the signer to transform a source
document into a derived document. Two obvious purposes for this feature is
to canonicalize a document, or perform filtering and extraction such that
the application derives and signs only a subset of the source content.
Consequently, those portions of the source document that are not reflected
in the derived document can be arbitrarily modified and the signature will
still validate.

 >Only What is "Seen" Should be Signed
 >If signing is intended to convey the judgment or consent of an automated
 >mechanism or person concerning some information, then it is normally
 >to secure as exactly as possible the information that was presented to that
 >mechanism or person.  Note that this can be accomplished by literally
 >what was presented, for example the screen images shown a user.  However,
 >may result in data which it is difficult for subsequent software to
 >It can be effective instead to secure the full data along with whatever
 >style sheets, or the like were used to control the part of the information
 >was presented.

I think I prefer the following <smile>

Applications are recommended to ensure signers understand the actual
resulting content that is being signed after transformations are applied.
Users should not be tricked into signing a native content that is
transformed into something that the user would not have signed otherwise.
This recommendation applied to transformations specified in the signature
block, as well as transformations found within the document itself. 

Joseph Reagle Jr.   
Policy Analyst           mailto:reagle@w3.org
XML-Signature Co-Chair   http://w3.org/People/Reagle/
Received on Wednesday, 13 October 1999 16:00:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:32 UTC