W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2000

Re: Scenarios/FAQ

From: Christophe Vermeulen <Christophe.Vermeulen@alcatel.be>
Date: Tue, 18 Jan 2000 17:44:59 +0100
Message-ID: <3884988B.E24AC782@alcatel.be>
To: DSig Group <w3c-ietf-xmldsig@w3.org>
CC: John Boyer <jboyer@uwi.com>
Hi,

Andreas Schmidt wrote:
> John Boyer wrote:
> 
> I want to briefly comment on FAQs 2) and 5) cited below

As I'm not an active member of this group, I'll state the context :
In the IETF IMPP WG, we are currently defining an XML presence format that
should be understood by "very simple parsers", though allow signing 
documents. The idea at the moment is to use multipart/signed for that, 
although we would like to evaluate the use of XMLDSIG, especially for 
signing only part of the document in some circumstances. But if I believe 
the FAQ, it seems not possible to use XMLDSIG in S/MIME. Right ?

So maybe none of the three solutions below would work, as we expect
the XML document to be "untouched". Or could we have a "detached"
signature that refers to the "related"/sibling MIME part ?
(Is there an URL way of refering to siblings ?)
 
> > 2) I have a whole XML document.  How do I sign it?
> >
> > A1: If the XML document is addressable by a URL, then you could create a
> > detached signature. The SignedInfo Reference would include a URI to the XML
> > document.
> >
> > A2: If you have a copy of the XML document in some temporary file or memory
> > buffer, you can put the data in an enveloping signature.  It is likely that
> > you will have to base-64 encode the XML document since an entire XML
> > document cannot appear as element content.  Alternately, character sequences
> > forbidden from content by XML can be escaped using the XML escaping
> > mechanism.
> >
> > A3: You could create an enveloped signature inside the XML document. The
> > SignedInfo Reference would refer to the document’s root element.  The
> > signature would have to use transforms to excluded itself from the message
> > digested in the Reference’s DigestValue.

I think it is needed to elaborate on that last sentence in another FAQ : 

Q 2 bis) I want to include an enveloped signature inside the signed 
document. How can I exclude itself from the signing process ?

> > 5) I have an XML document.  How do I combine that document with a signature
> > such that, in the resulting document, the signature signs the original
> > document?
> >
> > A1: Create an enveloping signature around the root element of the document.
> > A2: Create an enveloped signature.  The signature is placed inside the
> > document, and its SignedInfo Reference contains transforms that omit the
> > signature from the document.
 
> First it seems to me, that these two could be combined into a single
> question (maybe with subpoints). 

They look very close to me too, but maybe there is a difference I don't get ?.

> 1. In answers 2) A3 and 5) A2 the _minimum_ content to be omitted by the
> transformations (DigestValue and SignatureValue), and that it MUST be omitted
> for the signature to validate should be clearly stated (since I think FAQs
> are for the non-expert). 

yes, and I'm definitely one of those. Even further : an example of such a 
transform in the FAQ would be appreciated.

Christophe.
------------------------------------------------------------------------
Statutory Disclaimer: The above is not necessarily an Alcatel position. 
------------------------------------------------------------------------
          _             Christophe Vermeulen
          V             Security Specialist, Service Deployment Project
 .-----------------.    Alcatel Bell, Research Division DS9 F/C0
 |  A L C A T E L  |    Fr. Wellesplein 1 - B-2018 Antwerp - Belgium
 '-----------------'    Phone: +32 3 240 8942 - Fax: +32 3 240 8485 
                        mailto:Christophe.Vermeulen@alcatel.be
                        http://www.rc.bel.alcatel.be/~meulenc (Intranet)
------------------------------------------------------------------------
Received on Tuesday, 18 January 2000 11:45:38 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:09 GMT