signature validation clarification from fjh@alum.mit.edu on 2001-01-21 (w3c-ietf-xmldsig@w3.org from January to March 2001)

From: <fjh@alum.mit.edu>
Date: Sun, 21 Jan 2001 13:27:25 -0500 (EST)
To: w3c-ietf-xmldsig@w3.org
Message-ID: <471348654.980101624619.JavaMail.dynamo@BRUNCH.MIT.EDU>

I would like to clarify how XML validation works with XML Digital Signatures (or confidentiality)

If I have an XML document with an associated DTD or schema, I may validate that document.
The document might be
<info>
<item>abc</item>
</info>

If I decide to sign that document I may use a detached signature or an enveloped or enveloping signature. 

If I use a detached signature I may continue to validate the document since the signature is an independent XML document. I may also validate the signature document, using the apropriate DTD or schema which takes into account SignatureProperties. 

I may also decide to create another XML document which includes both the original document element and the signature element - I can validate this combined document against a DTD or schema. This schema may refer to the original schemas for the original document and signature (as is done in the P3P profile), or for a DTD I may have to write a new one. Although the two documents are together, the signature reference will refer to the independent original document URI and not provide a fragment reference to the content in the combined document, so it won't be really fully self-contained.
<binding>
<info>...<info>
<Signature>...<Reference URL="http://somewhere/foo.xml">..</Signature>
</binding>

If I create an enveloped signature, this means that when I sign the original XML document the  signature element is added to the document. Thus the original document becomes:

<info>
<item>abc</item>
<Signature>...<Reference URI="">...</Signature>
</info>

In this case the reference URI refers to the actual XML document which includes the signature. This document will no longer validate unless the original document DTD or schema included an optional signature definition. Namespaces prevent name collisions but do not address the validation issue. Even if I have a namespace aware validating parser, this parser would still need both schemas and even then would not be able to validate this combined document - since the individual schemas would say nothing about how the two documents are combined.

Is this an argument for generally using detached signatures and then defining and creating new combination documents (as done in the P3P profile)? Is there a free validating parser which can validate enveloped signatures?

thanks

< Frederick

Received on Monday, 22 January 2001 09:03:32 UTC