W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2000

AW: Thoughts on Threat Model

From: Peter Lipp <Peter.Lipp@iaik.at>
Date: Tue, 25 Jan 2000 22:29:53 +0100
To: "John Boyer" <jboyer@uwi.com>, <reagle@w3.org>
Cc: "DSig Group" <w3c-ietf-xmldsig@w3.org>
Message-ID: <NDBBLDEHJKOODMJCNBNCCEAGDCAA.Peter.Lipp@iaik.at>
>out his portion of the form, resulting in F'.  When the signer signs, this
>office-use-only section is blank, so when you follow the European
>guidelines, you show him F' with blank office-use-only section.
If the transform removes the office-use-only-section, I should'nt show it to
the user as he is not going to sign it at all. He is also not going to sign
the empty office-use-only-section.

> However, if 'the office' were to go and white out some of what I
> filled in, then that should break my signature on F'.
Sure, but I still can't follow. whatever that might be that has been
whitened out must be part of the signature anyway if it is important enough.
So it should break even under my model. What I don't get is that something
might fall out during the transform but still is important enough that the
signature should fail if somebody removes or changes it before the
transform. If it was that important, why does the transform remove it?

> Yes, the XPath would allow more than one document to be
> transformed down to the same message.  This is a MAJOR PART OF THE POINT.
This seems to contradict what you claim: you want the signature to fail if
somebody fiddles with the text, but it is fine to have many different
sources transform to the same finally signed document? And I would not allow
the argument that a certified application doesn't do anything wrong so .....
To me this smells like an even bigger rathole. (I confess that I saw
transforms as ratholes from the beginning, so it might be that my otherwise
clear mind is fogged my rathole-smells and thus cannot follow your arguments
clearly....)

> section is OK.  But I do know that if they make modifications outside of
> that section, then they are up to no good.
Great! But you can achive same behaviour anyway: the transform removes the
section, and leaves the rest (the outside) which is secured by the
signature. No need to go back to the source now.

> This suggested solution seems to make no sense.  If I have a referencable
> copy of the original document, then I don't need transforms, so
> putting both in a manifest is degenerately a non-solution.
I can't follow. How could I apply transformations to the original document
without having the original document?  And if I have it I consider it
referenceable - even if it might not work within manifest, put it into
object or wherever. That's not the point I want to make.

The generic problem I have is that to me this interpretation of use of
transforms seems to be rather too application-specific. I might understand
the need to adress parts of documents and that one want's to sign those,
which can be seen as some general case. For this general case I don't see
the need to bind the signature to the original, untransformed document. This
seems to be application specific, and if one wants or needs to do so, one
should see the original document as data, and the transform as data, which
then can be signed and the certified application will understand the meaning
of the signature. I understand the pure signature to just do what we said
somewhere sometime: signer hat access to data at some point in time. Binding
the untransformed data to the transform adds meaning to the signature, and
that is not general enough in my little world.....

Peter





Received on Tuesday, 25 January 2000 16:29:57 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:09 GMT