- From: John Boyer <JBoyer@PureEdge.com>
- Date: Thu, 16 Oct 2003 15:08:07 -0700
- To: "Chugh, Sanjay" <schugh@filenet.com>, "Michael McIntosh" <mikemci@us.ibm.com>
- Cc: <w3c-ietf-xmldsig@w3.org>, <w3c-ietf-xmldsig-request@w3.org>
- Message-ID: <7874BFCCD289A645B5CE3935769F0B52683D75@tigger.pureedge.com>
Hi Sanjay,
For starters, it will be hard to create an XPath filter (esp. one that complies to XPath filter 2)
that is less efficient than creating 200 individual references.
Secondly, it's my understanding that you generally don't want the material being digested
to be too small.
Thirdly, signature filters are often a significant security risk when they are expressed with
inclusive logic rather than exclusive logic. In other words, you need your filters to say
what will not get signed rather than what will get signed.
In general, the point of a signature filter is to define what parts of a form must undergo
further work after a signature event. These are the parts of a form that should be omitted
from the signature. The idea is that you have more security because the only things
that can change about the form as a whole document are the things you have defined
as being omitted.
Conversely, if you say 'include these 200 things' then you are implicitly saying 'omit
everything else', so I can add 1000 other things to your form such that, in the rendering
environment, I become able to obfuscate the 200 things you originally signed.
It is much better to say, here are the 50 things I omit, and here is the exact pattern to
which those 50 things must conform in order to be omitted. If they do not fit the
omission pattern, then they are included. If they were not included during the signing,
then the signature breaks.
This is the essence of a presentation I did at RSA 2000, and it the subject of many of
my prior emails to this group, which I'm sure were typically not understood either :-)
Cheers,
John Boyer, Ph.D.
Senior Product Architect and Research Scientist
PureEdge Solutions Inc.
-----Original Message-----
From: Chugh, Sanjay [mailto:schugh@filenet.com]
Sent: Thursday, October 16, 2003 2:46 PM
To: Michael McIntosh
Cc: w3c-ietf-xmldsig@w3.org; w3c-ietf-xmldsig-request@w3.org
Subject: RE: What is the best way to handle the case where you would end up with too many references in a digital signature?
No. The way our forms are structured, I don't think that can be the case.
I thought that I had found a solution myself by adding a unique namespace for the cells, but it was shot down by the developers more familiar with the
inner workings of the form then myself. The reason being that some elements can be signed by more then one signatures, say for example when you have a form that would be signed by an employee and also a manager. There may be some common elements that both of them sign.
-- Sanjay
-----Original Message-----
From: Michael McIntosh [mailto:mikemci@us.ibm.com]
Sent: October 16, 2003 3:30 PM
To: Chugh, Sanjay
Cc: w3c-ietf-xmldsig@w3.org; w3c-ietf-xmldsig-request@w3.org
Subject: Re: What is the best way to handle the case where you would end up with too many references in a digital signature?
Is there no way for you to group them under a common parent element?
"Chugh, Sanjay" <schugh@filenet.com>
Sent by: w3c-ietf-xmldsig-request@w3.org
10/16/2003 05:22 PM
To: <w3c-ietf-xmldsig@w3.org>
cc:
Subject: What is the best way to handle the case where you would end up with too many references in a digital signature?
If I have an XML Document, where I need to sign say up to two hundred different elements (different parts of a very complex form for example),
I think I will end up with up to 200 references, in the SignedInfo or manifest, whereever we decide to put them.
We did think about using an XPath expression, but that would get too large and performance might be an issue I think.
What is a good way to handle such a scenario?
Thanks,
-- Sanjay
Received on Thursday, 16 October 2003 18:08:09 UTC