Review of latest Widget Signature Draft from Thomas Roessler on 2009-02-25 (public-webapps@w3.org from January to March 2009)

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 25 Feb 2009 13:06:14 +0100
To: "public-webapps@w3.org WG" <public-webapps@w3.org>
Cc: XMLSec WG Public List <public-xmlsec@w3.org>
Message-Id: <E0A54B27-181F-41C3-B099-67F07231DEC0@w3.org>
In reviewing the latest draft, a couple of comments.

   Widgets 1.0: Digital Signatures
   Editor's Draft 23 February 2009
   http://dev.w3.org/2006/waf/widgets-digsig/

(Mostly) editorial:

- I would propose including a table of namespace prefixes and  
namespace URIs, and just saying that the prefixes are editorial  
conventions.  The current text in 1.1 and 1.2 is a bit hard to refer  
to, and the text in 1.2 sounds like it comes from a time when  
namespaces were new.  (It is, since it's lifted straight from XML  
Signature 1.0. ;-)

- 4.2 claims that the author signature serves to determine "whether or  
not two widgets came from the same author". Actually, author  
signatures from the same identity can only confirm that they come from  
the same author; signatures from different identities could still be  
from the same author.  Strike "or not".

- 4.3 mentions that distributor signatures may have implications in  
security policies.  The same isn't said for author signatures.  I  
propose either saying this generically, or striking it from 4.3.

- 4.3 says "no distributor signatures are to be included".  I know  
what that's supposed to mean, but think this might cause confusion.  I  
suggest to say something along the following lines:

> The ds:Signature MUST include ds:References for all resources of the  
> widget including any author signatures, but excluding any  
> distributor signatures.  In other words, distributor signatures MUST  
> countersign author signatures, but MUST NOT countersign other  
> distributor signatures.


- 5.1 says "as required by [XMLDSIG11]" -- I propose striking that,  
since this specification is making its own, possibly diverging choice  
of mandatory to implement algorithms.


Not so editorial:

- In the example in 1.4, the signature doesn't cover the signature  
properties.

- 5.2 and 5.3 have an issue about additional algorithms.  I suggest  
just being silent about them.

- The processing model in 6.2 sounds as if it requires implementations  
to do a deep-dive into other signature files in order to determine  
whether an author signature, if present, is covered by a distributor  
signature.  That sounds error-prone.  I wonder if there should be a  
simple file name convention to distinguish author and distributor  
signatures, to make signature validation independent of parsing more  
than one signature resource.

- The processing model in 6.2 does not currently enforce the MUST NOT  
on distributor signatures countersigning each other.  I'm having a  
hunch that that might get abused by malevolent distributors in order  
to interfere with each other; I therefore suggest that distributorr  
signatures that countersign each other are a reason for validation  
failure.

- In 6.1, I wonder whether it's worthwhile to rebuild the signature  
properties piece a bit -- the current description is mildly convoluted  
(by describing a tree from the leaves, not the root).

- We're not currently saying how same-document references are done.   
The example suggests ID-based references.  That should be said  
explicitly -- or else people might start using complex xpointers.  It  
might also be useful to recommend the use of random strings for the  
IDs.  Corresponding to that, the validation model does not enforce the  
position of the signature properties within the overall XML document.   
That might lead to interesting differences in implementations that  
could cause different implementations to see different things.

- In 4.4, we currently perform a dance around X.509 version numbers.   
Thinking this through more thoroughly, it worries me that this came  
up, for the following reason:  You need an X.509 v3 extension to  
express the basic constraints on a certificate.  Without the basic  
constraints extension, it is impossible to distinguish a CA  
certificate from an end entity certificate.  Which in turn suggests  
that somebody might have inadvertently generated a CA certificate  
instead of an end entity certificate...  In other words, we shouldn't  
ever see an end entity certificate that is X.509 v1 or v2.  (And if we  
see one, it's a good idea to break it.)

- The current draft has a relatively complex set of interacting  
signatures, but does not timestamp these at all.  I'd *really* like us  
to mandate a timestamp property on each of the signatures, and demand  
during validation that the timestamp MUST be in the past.  To give  
just one example, assume a distributor's signing process is found to  
be broken, but it's not practical to exchange the signature key.   
Being able to weed out all signatures made before a particular date  
might turn out really important in this context.  (In fact, I'm  
starting to wonder whether there should be a timestamp and a serial  
number...)

- I wonder whether we should be keeping an additional hash algorithm  
in reserve, too. (That's a question that needs to go back to the XML  
Security WG.)

- I'm worried that we don't say anything about revocation of  
signatures.  I'd like to revisit why this is the case, and whether  
there's anything we can do about it.

--
Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 25 February 2009 12:07:26 UTC