W3C home > Mailing lists > Public > w3c-xml-sig-ws@w3.org > April 1999

User defined DSIG element

From: Ko Fujimura <fujimura@isl.ntt.co.jp>
Date: Wed, 21 Apr 1999 20:17:29 +0900
Message-ID: <14109.46025.781844.12467T@renoir.isl.ntt.co.jp>
To: w3c-xml-sig-ws@w3.org
Cc: fujimura@isl.ntt.co.jp
At Tue, 20 Apr 1999 13:07:02 -0400,
Alan Kotok <kotok@w3.org> wrote:
...
> On another subject, I we need to be clearer about what of this work is
> defining an XML schema for signed documents, and what is dealing with what
> is done with existing XML documents to allow them to be signed.  The former
> gets into the questions of what to do about these assertions, and the
> latter into following links and canonicalization.  I believe these two
> parts can and should be separated clearly.

I agree. I would like to discuss from the former point of view more.

Basically, a XML schema defines the structure of the XML documents by its
definition, and any properties needed by the application should be freely
defined in the XML schema. I think that even an AP-specific signature
element should be allowed. For example:

<root xmlns:myAP='http://mycorp.com/schema'>
  <myAP:SignedAssertion>
    <myAP:Assertion>
    ... 
    </myAP:Assertion>
    <myAP:Signature>
    ...
    </myAP:Signature>
  </myAP:SignedAssertion>
</root>

I would like to define the semantics of the signature in the XML
schema definition instead of the signed document itself, since it
reduces the size of the signed description. Assume that the number of
the signed descriptions is more than 1000, of which semantics are the same.

Someone pointed out that it is possible to alter the signature
algorithms or other signature semantics if it is not explicitly 
defined in the signature block. But, this issue can be resolved easily by
having the digest value of the schema definition in the signed block
as follows: 

<root xmlns:myAP='http://mycorp.com/schema'>
  <myAP:SignedAssertion  dsig:SchemaDigest="...">
                         ^^^^^^^^^^^^^^^^^^^^^^^
    <myAP:Assertion>
    ... 
    </myAP:Assertion>
    <myAP:Signature>
    ...
    </myAP:Signature>
  </myAP:SignedAssertion>
</root>

Do we really have to define standard signature DTD? Instead, I would
like to have the vocabulary to describe the semantic of digital
signature, which can be used in the schema definition. Although, it
might be an issue of the XML schema / RDF schema integration work.

Regards,

Ko
o---------------------------------------------------------o
o      Ko Fujimura         Email: fujimura@isl.ntt.co.jp  o
o---------------------------------------------------------o
o NTT Information Sharing Platform Labs, Security Project o
o 1-1 Hikarinooka, Yokosuka-shi, Kanagawa 239-0847, JAPAN o
o Tel: +81-(0)468-59-3814         Fax: +81-(0)468-59-8329 o
o---------------------------------------------------------o
Received on Wednesday, 21 April 1999 07:17:37 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 11:28:04 EDT