W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2001

RE: Why is the Target attribute in SignatureProperty required?

From: Karl Scheibelhofer <Karl.Scheibelhofer@iaik.at>
Date: Tue, 28 Aug 2001 08:28:23 +0200
To: "Dournaee, Blake" <bdournaee@rsasecurity.com>
Cc: "XMLSigWG" <w3c-ietf-xmldsig@w3.org>
Message-ID: <NDBBJJNFOMNNKFDPLCDJAEKACLAA.Karl.Scheibelhofer@iaik.at>
you will agree that, first, your example does not really reflect the usual
use-case. second, i would not recommend anyone to structure a document in
such a wired and inconvenient manner. third, the Target attributes do not
help you a lot in that case. because the application normally searches for
signatures and there it has to dereference all Reference elements in the
SignedInfo of each Signature. therefore, it knows, which Signature signs
what content and what SignatureProperty. if you are coming from the other
direction - the application has the SignatureProperties and wants to know,
what Signature covers what SignatureProperty - the application may follow
the Target reference. nevertheless, it has to verify if the Signature really
has a Reference to that SignatureProperty. moreover, if the application in
your example wants to have more than one Signature to cover the same
SignatureProperty, you cannot set a Target reference. it can be a
many-to-one reference, if several Signatures sign the same
SignatureProperty. and if you cannot share SignatureProperties among several
Signautre elements, it does not make sense to place them in a manner as your
example shows.
in my opinion, the Target reference attribute should be 'optional' rather
than 'required'.

regards

  Karl

--

Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at>
Institute for Applied Information Processing and Communications (IAIK)
at Graz University of Technology , Austria, http://www.iaik.at and
http://jcewww.iaik.at
Phone: (+43) (316) 873-5540

> -----Original Message-----
> From: Dournaee, Blake [mailto:bdournaee@rsasecurity.com]
> Sent: Monday, August 27, 2001 9:19 PM
> To: 'Karl Scheibelhofer'; Donald E. Eastlake 3rd
> Cc: XMLSigWG
> Subject: RE: Why is the Target attribute in SignatureProperty required?
>
>
> Karl,
>
> What if a document contains many <Signature> elements and many
> <SignatureProperties> elements?
>
> This is what I'm thinking of:
>
> <Sigs>
> 	<Signature Id="Sig1>
> 	...
> 	</Signature>
>
> 	<Signature Id="Sig2>
> 	...
> 	</Signature>
>
> 	<Signature Id="Sig3>
> 	...
> 	</Signature>
>
> 	<Signature Id="Sig4>
> 	...
>
> 	  <Object>
> 	    <SignatureProperties>
>             <SignatureProperty Id="Prop1" Target="#Sig1">
>             ...
>             </SignatureProperty>
>
> 		<SignatureProperty Id="Prop2" Target="#Sig2">
>             ...
>             </SignatureProperty>
>
> 		<SignatureProperty Id="Prop3" Target="#Sig3">
>             ...
>             </SignatureProperty>
>
>      ]   </SignatureProperties>
>
> 	  </Object>
>
> 	</Signature>
> </Sigs>
>
> In my example above, the last signature contains three sets of assertions
> that do not relate to Sig4, but do relate to the other <Signature> child
> elements.
>
>
> Blake Dournaee
> Toolkit Applications Engineer
> RSA Security
>
> "The only thing I know is that I know nothing" - Socrates
>
>
>
>
> -----Original Message-----
> From: Karl Scheibelhofer [mailto:Karl.Scheibelhofer@iaik.at]
> Sent: Monday, August 27, 2001 6:31 AM
> To: Donald E. Eastlake 3rd
> Cc: XMLSigWG
> Subject: RE: Why is the Target attribute in SignatureProperty required?
>
>
> sorry, i canot follow your argumentation.
> if my SignedProperties is inside the Object element of a
> signature, i really
> do not need this reference. even though, i must set it, because it is
> required (however, the ID of the signature itself is optional).
> if the target is present, the application must nevertheless check if this
> SignedProperties is really covered by a reference in the
> signature, when it
> verifies the signature. the Target attribute does not relly help in many
> cases. i agree that there might be applications where it is useful to have
> such a Target attribute, but it should be optional rather than reuqired, i
> think.
> this Target is only useful in applications where you have separated
> SignedProperties and you need to find the signature which signs
> it. i think
> that this is not common practice. normally you need to come from the other
> direction - you have the signature and get the SignedProperties of it, for
> which you use the references directly.
>
> regards
>
>   Karl
>
> --
>
> Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at>
> Institute for Applied Information Processing and Communications (IAIK)
> at Graz University of Technology , Austria, http://www.iaik.at and
> http://jcewww.iaik.at
> Phone: (+43) (316) 873-5540
>
> > -----Original Message-----
> > From: Donald E. Eastlake 3rd [mailto:dee3@torque.pothole.com]
> > Sent: Monday, August 27, 2001 3:13 PM
> > To: Karl Scheibelhofer
> > Cc: XMLSigWG
> > Subject: Re: Why is the Target attribute in SignatureProperty required?
> >
> >
> >
> > If it appears inside a Signature, a SignatureProperty could apply
> > to that signature or separately to any one of the References. If
> > it appeared outside of a Signature, it could apply to any singature
> > or reference in the world. You need Target to tell what's going on.
> >
> > Donald
> >
> >
> > From:  "Karl Scheibelhofer" <Karl.Scheibelhofer@iaik.at>
> > To:  "XMLSigWG" <w3c-ietf-xmldsig@w3.org>
> > Date:  Mon, 27 Aug 2001 14:47:44 +0200
> > Message-ID:  <NDBBJJNFOMNNKFDPLCDJGEJACLAA.Karl.Scheibelhofer@iaik.at>
> >
> > >hi,
> > >
> > >can anyone explain, why the Target attribute in the
> > SignatureProperty type
> > >is required and not optional? i can see no obvious reason to make this
> > >attribute required.
> > >
> > >regards
> > >
> > >  Karl
> > >
> > >--
> > >
> > >Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at>
> > >Institute for Applied Information Processing and Communications (IAIK)
> > >at Graz University of Technology , Austria, http://www.iaik.at and
> > >http://jcewww.iaik.at
> > >Phone: (+43) (316) 873-5540
> > >
> >
> >
>
>
Received on Tuesday, 28 August 2001 02:28:07 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:36 UTC