Re: Valid XML and Schema Normative? from Ken Goldman on 2000-07-14 (w3c-ietf-xmldsig@w3.org from July to September 2000)

From: Ken Goldman <kgold@watson.ibm.com>
Date: Fri, 14 Jul 2000 13:45:22 -0400
To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Message-Id: <200007141745.NAA31646@alpha.watson.ibm.com>

Since no one answered yet, I'll repost Joseph's question with some
background.  Is this example, with the <declaration>, valid?

In FSML, we have something similar to the <disclaimer> called
signature restrictions.  For example, a signing token, possibly
qualified by a signer login and password, might be constrained to sign
purchase orders but not checks.

What FSML does (in DSIG terms) is add a <Restrictions> tag to
<SignedInfo>.  When the token receives the <SignedInfo> element for
hashing and signing, it will reject the element if the <Restrictions>
value does not match its internal rules.

Similarly, we added a <Sequence> tag, with an incrementing number
maintained by the token, for auditing.

We were hoping that DSIG would similarly allow application dependent
tags in <SignedInfo>, what I've heard called an "open content model".

> Date: Thu, 06 Jul 2000 13:09:20 -0400
> From: "Joseph M. Reagle Jr." <reagle@w3.org>
> 
> At 12:52 2000-07-06 -0400, Ken Goldman wrote:
>  >Could you give an XML snippet of this, showing the issue?
> 
> Assuming that the following well formed XML instance reference 
> and signature validates, is the following example a valid 
> Signature? (It violates the specified content model).
> 
> I'm slightly confusing the syntactical violation with a clear violation
> of semantics ("disclaimer") just to show why this might be important, 
> but [x01-03] could be any name space qualified and wellformed XML.
> 
> 
>    [s01] <Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/02/xmldsig#"> 
>    [s02]   <SignedInfo> 
>    [x01]     <disclaimer xmlns="http://badactor.com/2000/v3">
>    [x02]     <declaration>this signature is invalid on tuesdays</declaration>
>    [x03]     </disclaimer>
>    [s03]   <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000119"/> 
>    [s04]   <SignatureMethod Algorithm="http://www.w3.org/2000/02/xmldsig#dsa-sha1"/> 
>    [s05]   <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> 
>    [s06]     <Transforms> 
>    [s07]       <Transform Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000119"/> 
>    [s08]     </Transforms> 
>    [s09]     <DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"/> 
>    [s10]     <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> 
>    [s11]   </Reference> 
>    [s12] </SignedInfo> 
>    [s13]   <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> 
>    [s14]   <KeyInfo> 
>    [s15a]    <KeyValue>
>    [s15b]      <DSAKeyValue> 
>    [s15c]        <P>...</P><Q>...</Q><G>...</G><Y>...</Y> 
>    [s15d]      </DSAKeyValue> 
>    [s15e]    </KeyValue> 
>    [s16]   </KeyInfo> 
>    [s17] </Signature>

-- 
Ken Goldman   kgold@watson.ibm.com   914-784-7646

Received on Friday, 14 July 2000 13:45:25 UTC