W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2000

KeyInfo and KeyValue

From: Brian LaMacchia <bal@microsoft.com>
Date: Tue, 14 Mar 2000 15:34:02 -0800
Message-ID: <39ADCF833E74D111A2D700805F1951EF0E32F1A8@RED-MSG-06>
To: "'w3c-ietf-xmldsig@w3.org'" <w3c-ietf-xmldsig@w3.org>
Cc: "'Peter Hesse'" <pmhesse@cygnacom.com>, "'Carl Wallace'" <cwallace@erols.com>
There seems to be a bunch of confusion about the role of KeyInfo clauses and
suppositions about particular environments in which XML-DSIG is expected to
operate.  I'm combining responses to Peter and Carl here in the hope of
pulling things back together.  Apologies in advance for the length.

First, Peter wrote:

	Brian, 
	Sorry for the confusion. I misspoke in my email. I meant KeyValue,
not KeyInfo. KeyInfo is very valuable. KeyValue is a specific form of
KeyInfo. Mandating that the KeyValue type of KeyInfo is required to
implement is not good. That's because KeyValue is the "actual key(s) used to
validate the signature. If the key is sent in protected form, the MgmtData
element should be used." 
	So what I'm saying is that sending an unprotected key by using the
KeyValue mechanism does little good in a trust-management environment, such
as an X.509 or PKIX environment. I'm concerned that (A) by populating
KeyValue, I might encourage users to simply verify the signature based on
the contents of KeyValue without even attempting to validate my certificate
or certificate path, and (B) by making my implementation accept KeyValue, I
open myself up to accepting signatures that I shouldn't trust. 
	Since neither A or B is acceptable in a PKI environment, I would
rather just not bother with KeyValue at all. Thus we'd like to see it not be
a MUST implement. 
	--Peter 
I think the problem here may stem from the wording Peter highlights and a
confusion of two separate operations: (1) cryptographic signature
validation, and (2) trust management determinations about a particular key
pair.  These are two fundamentally separate concepts within XML-DSIG; we
explicitly separate the process of "verifying" that a digital signature is
well-formed (computationally correct) from determining whether to place any
trust in the key pair that performed the digital signature operation or the
semantic content of the properly-signed message.  Our primary concern is
with step (1), so we care that conformant implementations always have a way
to communicate enough information to perform the cryptographic signature
check.  That's why KeyValue support is required; it guarantees that two
XML-DSIG implementations have at least one method of communicating enough
information to cryptographically validate the signature.  
Now, the wording quoted above from Section 4.4, that KeyValue contains the
"actual key(s) used to validate the signature," seems to imply that the
information in KeyValue *must* be used by the verifying application.  This
was never the intent of anything contained within KeyInfo, so the language
in the draft clearly needs to be revised. There is no requirement that the
verifying implementation use the specific information contained within
KeyInfo in the actual signature validation, although (as in CMS) we expect
that for efficiency reasons implementations will likely try the included key
information first before hitting a database to look for other potential keys
to use to validate the signature.
Once the signature has checked out, trust management models come into play
(step (2)).  Here XML-DSIG makes no statement about how individual
applications may choose to perform step (2), or even what information that
may use to make such determinations.  We provide a place, KeyInfo, in which
applications may choose to communicate information that may be useful for
step (2), but again there's no requirement that that mechanism be used.
I agree with you that "sending an unprotected key by using the KeyValue
mechanism does little good in a trust-management environment;" but that's
not an issue here because we're not trying to convey trust to the trust
management engine via the KeyValue clause.  As for your two other concerns:
	I'm concerned that (A) by populating KeyValue, I might encourage
users to simply verify the signature based on the contents of KeyValue
without even attempting to validate my certificate or certificate path, and 
This statement doesn't make sense because it combines steps (1) and (2),
which are explicitly separate.  For performance reasons it's quite likely
that verifiers will try the provided key information first to satisfy step
(1).  That doesn't help with step (2), though, and clearly implementers of
XML-DSIG must understand the difference between these two steps and what
information they get out of each of them.  As an aside, I assume that your
use of "certificate or certificate path" is simply a stand-in for whatever
evidence your trust management engine chooses to accept.
	(B) by making my implementation accept KeyValue, I open myself up to
accepting signatures that I shouldn't trust. 
Again, this statement confuses signature validation from trust management
processing.  Perhaps we need more explicit language in the draft calling out
the fundamental difference between the two.
Moving on, Carl wrote:
	Thanks to Brian's comments I understand now the idea is for KeyInfo
to serve as a "hint" and little/nothing more. However, I still fail to see
where KeyValue provides anything in the way of "base interoperability" where
a PKI application receives a key via KeyValue from a non-PKI application and
thus fail to see why KeyValue is required. It seems only to provide enough
interoperability for a non-PKI application to deliver a key that cannot be
validated to a PKI application. 
I don't understand the distinction Carl's trying to draw here between "PKI"
and "non-PKI" applications.  I believe there may be some confusion because
in PKIX applications keys are always delivered as part of the PKIX evidence
(i.e. PKIX certificates) used as input to PKIX trust management processors
(i.e. PKIX chain builders & path validation logic).  There is no assumption
in XML-DSIG that any particular trust management engine will use particular
forms of evidence that embed keys.  PKIs, in the abstract sense, deal
primarily with making the trust management decisions that form step (2)
above.  Since we cannot assume the existence of any particular form of PKI
in XML-DSIG, let alone one that always conveys keys inside trust management
evidence, XML-DSIG must provide the base interop for doing cryptographic
signature checks.
I hope this helps clear things up,
					--bal
Received on Tuesday, 14 March 2000 18:34:36 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:09 GMT