W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 1999

RE: Locations but not Transforms as hints (was RE: The XML-DSig Non-standard, or Location/Transforms as 'hints')

From: John Boyer <jboyer@uwi.com>
Date: Tue, 23 Nov 1999 10:31:14 -0800
To: "Mark Bartel" <mbartel@thistle.ca>, <w3c-ietf-xmldsig@w3.org>
Message-ID: <NDBBLAOMJKOFPMBCHJOIEEGCCCAA.jboyer@uwi.com>
Hi Mark,

comments embedded...

-----Original Message-----
From: Mark Bartel [mailto:mbartel@thistle.ca]
Sent: Tuesday, November 23, 1999 8:13 AM
To: 'John Boyer '; 'w3c-ietf-xmldsig@w3.org '
Subject: RE: Locations but not Transforms as hints (was RE: The XML-DSig
Non-standard, or Location/Transforms as 'hints')


Note that whether or not the signer is trusted is necessarily "application
specific."  If I sign something with my Mallory Certification Services
certificate and the verifier doesn't trust Mallory Certification Services,
the verifier will reject the signature even if it is otherwise valid.  I
don't think "application specific" is a dirty phrase.  Indeed, I see it as
useful and not onerous to allow applications to decide in this case.

<John>
The purpose of core behavior is to authenticate the message signed and
authenticate the signer, not to decide whether one trusts the signer or the
authentication mechanism.  The issue of trust is a policy issue typically
governed by a PKI. If a PKI is properly established then every application
on the box will dance to the same tune.
Perhaps there is a different example of why core validation must be
application-specific, but this one doesn't do it for me.  If I want to write
an app that can handle any and all documents within an enterprise, I already
assume that I must hook up to that enterprise's PKI.  Now, the more
standardization there is in how to do that, the lower my maintenance
troubles are going to be as I sell to new clients.  In the same way that I
really want trust to be standardized and free of application-specific
weirdness (or site-specific weirdness), I also want dsig core behavior to be
free from application-specific weirdness.
</John>

> Transforms outside of SignedInfo:  we both object to them, just to
> differing
> degrees.  The reason I don't object as strongly as you do is that the
> application can decide which transformations to trust.
>
> Note that the Transforms outside of the SignedInfo can be signed by
> another
> signature, and
> applications can use *that* as a criteria for trust.  However, I would
> prefer that we let applications deal with that issue and not have
> Transforms
> outside of SignedInfo.
>
> <John>
> Obviously, I agree here since signing the transforms by another
> signature
> defeats the purpose of having them unsigned in the first place.
> </John>

You are missing the point.  The application that signs the additional
Transforms is different than the application that created the original
signature.  It may or may not use different credentials to create the second
signature.

<John>
It's largely an academic point since we agree that it is best not to do it
this way anyway, but I don't think I missed the point.  Having the ability
to add arbitrary transforms to the document, even if they are signed by a
party other than the original signer, breaks the fundamental assumption of
digital signatures, which is that the document should not be modifiable in
ways meaningful to the signer after the signer has signed the document.

The signer must sign sufficient information to guarantee that the document
cannot be modified in ways that can hurt the signer.  Covering part of the
document with a different signature (esp. a removable one) doesn't change
the fact that the signer's signature doesn't cover the necessary information
to reconstruct what the signer was looking at.

I would go so far as to argue that not even a second signer's signature on
those transforms would do anything to protect the validity of the first
signer's signature unless both signatures remain intact in the document.
Further, since the receiver does not have the signer's private key, the
receiver cannot remove the second signature and replace it with a new
signature over changed transforms.
</John>

The original application may well not know that the document is
going to be moved.

<John>
I would assert that the original application (more importantly, the signer
using that application) MUST know in advance.  The signer MUST be able to
precisely control what is modifiable in a document once he signs it.  This
is the essence of the thing I call DOCUMENT CLOSURE.  If the signer cannot
precisely control what can change, then the signer's signature on the
document is meaningless because the document could differ in arbitrary ways
from what the signer intended to sign.
</John>

This is Joseph's assertions-about-assertions approach,
which I very much like and think is the only general solution to the problem
we are trying to address.  If the object is moved again, the added signature
can be removed, and a different one put in place.

<John>
Right but not by the signer!  The signer's signature does not cover enough
of the document that we can make reasonable assertions about what the signer
actually signed.
</John>

But as you point out, the idea creates issues when used in the core.  I'm
happy pushing this off to the application to make the necessary
assertions-about-assertions.  At that level, the issue of validity that you
point out goes away.

<John>
Sure, and this is an alternative I support.  But if we are going to push the
issues off to the application, then we should do it in a consistent way that
does not have a core signature signing something that isn't true.  If the
Location doesn't tell where to get the bits by some well-known and
well-document, public, open-standard process, then the Location shouldn't be
signed.
If we want to make these issues application-specific, then it makes more
sense to me to be consistent in how we move responsibility to the
application.  We should move it to the application by moving issues of
Location to the Manifest.  I would be happy to support this alternative.

The only thing I am saying is that the currently defined core has created a
problem that can be interpreted in one of two ways:

1) Location as law
In this case, apps that don't want to sign Location must not use core
behavior.  So they can solve their problem using a Manifest, but it is the
design of core that seems flawed because the signer does not care about
where the data is and yet is being forced to sign it, thereby making its
location invariant.

2) Location as hint
In this case, apps that don't want to sing Location must sign it, but
changes its meaning under the covers. This is a brutal hack in which we seem
to be changing the meaning of what got signed to suit the fact that our
design can't solve the problem.

</John>

> Your example:  this is not a problem I was trying to solve.  My main
> concern
> was for the x.com to y.com or base64 on web to unencoded on
> disk type of
> changes, which my concept of "location as hint" addresses.  I was not
> trying
> to deal with the general document transmogrification case; do we feel
> this
> is a problem we need to solve?
>
> <John>
> Yes, since the example I gave is the base64 in the document
> to unencoded
> on
> disk.  This is one of Rich Himes's scenarios, and it was also
> one of the
> original goals that Dave Solo had. The movement of the bag of
> bits from
> within the document to without should not break the signature.
> </John>

My bad.  I had forgotten that the base64-encoded document was embedded in
that example.  Yes, a different mechanism has to be used for that.  I don't
see the XPath-over-SignedInfo solution as effective because the signing
application has to *know* that the document is going to move.  To me, the
conceptually proper solution is to use assertions-about-assertions.  I like
location-as-hint because it simplifies what seems to me will be a common
case (http://x.com/this changing to http://y.com/that) without adding
complexity, but I don't have a problem with using assertions for that case
as well.

Perhaps at a later point in the process we should attempt to address such
assertions, and specify how to do the one necessary for this (the document
here is the document that was there).

<John>
Firstly, I'm having trouble understanding which position you're working
toward.  Assertions about assertions doesn't seem to need location as hint,
and location as hint doesn't need assertions about assertions.  Are you
saying that either is fine with you?

As for Xpath over SignedInfo, the application MUST know how the document
will be modified or we defeat the fundamental purpose of digital signatures,
which is to associate a document with a person.  The allowable changes after
signing must be predefined and undergo security review before the app can be
used by the signer.  The signer's signature must include the list of
allowable changes.  The signature must break if the list of allowable
changes is changed after signing or if the document is changed in ways not
allowed by the list of allowable changes.  This is the essence of DOCUMENT
CLOSURE.

Assertions about assertions are awful in this case because it is not the
signer making the change of assertion about how to transform the document.
The transforms define the list of allowable changes, and if the signer
doesn't sign those, then the document can be substantially altered without
breaking the signer's signature.  It is a little tricky to break because the
modified transforms still have to produce the bits signed by the signer, but
it is not very hard to break since one can switch from omission logic to
inclusion logic, at which point extra material can be inserted just about
anywhere.

John Boyer
Software Development Manager
UWI.Com -- The Internet Forms Company
</John>

-Mark Bartel
JetForm Corporation
Received on Tuesday, 23 November 1999 13:32:38 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:08 GMT