Thoughts on Threat Model from John Boyer on 2000-01-24 (w3c-ietf-xmldsig@w3.org from January to March 2000)

From: John Boyer <jboyer@uwi.com>
Date: Mon, 24 Jan 2000 15:33:54 -0800
To: <reagle@w3.org>
Cc: "DSig Group" <w3c-ietf-xmldsig@w3.org>
Message-ID: <NDBBLAOMJKOFPMBCHJOIMECCCDAA.jboyer@uwi.com>

Hi Joseph,

You asked me to consider the threat model associated with having signed
transforms not necessarily obeyed by the verifier.

For starters, implicit in your question was the assumption that these are
signed assertions about what the signer did to produced the message to be
hashed.  I like this, but the language in our specification does not
strongly point this out.  So, the wording of our document would need to be
changed to say that the signer MUST perform the transforms as part of
calculating the message.

The verifying program may cache partial results, or the full results of
these transforms, but in my view they have 'effectively' performed the
transforms (as long as the cache is secure).  The verifier can choose to
move the data around and perform their own transforms, but they do so at
their own risk in the sense that the verifier will have the burden of proof
in showing that they have not materially altered the signature.  One way to
do this is to reconstruct the actual document signed by the signer.

Thus, I would be happier if the specification were to RECOMMEND that the
verifier perform the transforms 'in effect'.  Variations from the stated
transforms are done at the verifier's risk.  To be honest, I don't think
there is any real harm in saying that verifiers MUST follow the transforms
because there is a way to opt out of this using a Manifest, as I've shown in
past emails.

If, on the other hand, the intention of the WG is to say that transforms are
only hints even for the signer, then I would have a big problem with that.
At that point, I would ask what point there is in writing down the
transforms at all.  If each application were totally free to derive whatever
portion of the document they chose *for signing* without the requirement
that the transforms describe this derivation, then as I've said in prior
email, the transforms would be of little value from a security standpoint.
They would only exist as application hints, and we have a place for those--
Object.

In conclusion, I think it is necessary to REQUIRE applications to follow the
given transforms 'in effect' when creating a signature, and anything short
of this nullifies the security value of transforms.  I think it is safe to
RECOMMEND that verifying programs perform the transforms 'in effect'.

John Boyer
Software Development Manager
UWI.Com -- The Internet Forms Company

Received on Monday, 24 January 2000 18:34:11 UTC