RE: Enveloped signatures and XPath from Petteri Stenius on 2000-03-27 (w3c-ietf-xmldsig@w3.org from January to March 2000)

From: Petteri Stenius <Petteri.Stenius@remtec.fi>
Date: Tue, 28 Mar 2000 00:56:00 +0300
To: "'John Boyer'" <jboyer@PureEdge.com>, Mark Bartel <mbartel@thistle.ca>
Cc: "''IETF/W3C XML-DSig WG (E-mail) ' '" <w3c-ietf-xmldsig@w3.org>
Message-ID: <CD0FF8F92CA8D311B9AB00105A14D5570B0FD5@server.remtec.fi>

John,

I agree with you that it is possible to make more specific inclusion (or
exclusion) transforms with XPath.

But what you are also saying is that it's possible to compose not so
specific transforms with XPath. How does the verifying application know that
a given XPath expression is good enough to trust? Should the verifier simply
trust the signer? This requirement for trust is what I guess Mark is also
trying to point out.

Exclusion by id only solves the most simple case with enveloped signatures,
and as such is rather restricted. 

Mark suggests that we should define a new transform, and I agree with that. 

I'd take this a little bit further by defining the new transform using the
existing algorithms (XPath or XSLT) and by identifying the transform with a
URI reference. For example

<Reference URI="">
	<Transforms>
		<Transform
Algorithm="&dsig;xpath:exclude-the-signaturevalue-element"/>
	</Transforms>
</Reference>

The XML Signatures spec would include the XPath expression for this named
transform, the expression does not need to be included with the signature.

The signature verifier easilly identifies this transform and can choose to
use the XPath expression, or have the functionality programmed into the
implementation. 


Petteri


> -----Original Message-----
> From: John Boyer [mailto:jboyer@PureEdge.com]
> Sent: 27. maaliskuuta 2000 21:57
> To: Mark Bartel; 'Joseph M. Reagle Jr. '
> Cc: ''Petteri Stenius ' '; ''IETF/W3C XML-DSig WG (E-mail) ' '
> Subject: RE: Enveloped signatures and XPath
> 
> 
> Hi Mark,
> 
> Actually, I will maintain that exclusion by id only is a bad idea
> 
> Inclusion by id is useful because you identify an element 
> whose content WILL
> BE in the message digest, so if the identified element's 
> content is changed,
> then the message digest will break.
> 
> Exclusion by id is bad because you identify an element whose 
> content WILL
> NOT BE in the message digest, so if the identified element's 
> content, tag,
> attributes, etc. are changed, then the message digest will not break.
> 
> The purpose of doing exclusion logic with XPath is that, 
> although it is
> possible to do exclusion by id with XPath, it is also 
> possible to do much
> better.  One can identify an element, but then add additional 
> tests that
> only exclude the element if it has the right properties, 
> properties which
> the application author can guarantee do not impact the 
> interpretation of the
> signature over the material that is digested.
> 
> Exclusion logic is quite unsecure and therefore useless 
> unless appropriate
> measures have been taken to be quite specific about what gets 
> excluded.
> 
> John Boyer
> Software Development Manager
> PureEdge Solutions, Inc. (formerly UWI.Com)
> Creating Binding E-Commerce
> jboyer@PureEdge.com
>

Received on Monday, 27 March 2000 16:56:14 UTC