W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 1999

Re: Suggested Security Considerations Section

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Wed, 13 Oct 1999 15:52:36 -0400
Message-Id: <3.0.5.32.19991013155236.00a1c100@localhost>
To: dee3@us.ibm.com
Cc: w3c-ietf-xmldsig@w3.org
At 23:47 99/10/12 -0400, dee3@us.ibm.com wrote:
 >Only What is Signed is Secure
 >
 >The flexible Transformations mechanism, including canonicalization and
explicit
 >filtering and extraction, permit securing only a subset of data in an
object.
 >This is good for many applications where a limited portion of an object
must
 >change after the signature or different signatures secure different parts
or the
 >application modifies aspects of the object that are not significant and
can be
 >omitted from signature coverage or the like.   Keep in mind that whenever
this
 >is done, those aspects that are not signed can be arbitrarily modified and
the
 >signature will still validate.

Given this section is called "transformations" for good reason, I'm
concerned about the reliance upon "subset of data". How about something like:

The Transformations mechanism permits the signer to transform a source
document into a derived document. Two obvious purposes for this feature is
to canonicalize a document, or perform filtering and extraction such that
the application derives and signs only a subset of the source content.
Consequently, those portions of the source document that are not reflected
in the derived document can be arbitrarily modified and the signature will
still validate.

 >Only What is "Seen" Should be Signed
 >
 >If signing is intended to convey the judgment or consent of an automated
 >mechanism or person concerning some information, then it is normally
necessary
 >to secure as exactly as possible the information that was presented to that
 >mechanism or person.  Note that this can be accomplished by literally
signing
 >what was presented, for example the screen images shown a user.  However,
this
 >may result in data which it is difficult for subsequent software to
manipulate.
 >It can be effective instead to secure the full data along with whatever
filters,
 >style sheets, or the like were used to control the part of the information
that
 >was presented.

I think I prefer the following <smile>

Applications are recommended to ensure signers understand the actual
resulting content that is being signed after transformations are applied.
Users should not be tricked into signing a native content that is
transformed into something that the user would not have signed otherwise.
This recommendation applied to transformations specified in the signature
block, as well as transformations found within the document itself. 


_________________________________________________________
Joseph Reagle Jr.   
Policy Analyst           mailto:reagle@w3.org
XML-Signature Co-Chair   http://w3.org/People/Reagle/
Received on Wednesday, 13 October 1999 16:00:00 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:08 GMT