- From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
- Date: Wed, 31 Mar 2010 09:07:57 -0400
- To: Hirsch Frederick (Nokia-CIC/Boston) <Frederick.Hirsch@nokia.com>
- Cc: public-webapps WG <public-webapps@w3.org>, Thomas Roessler <tlr@w3.org>, "Barstow Art (Nokia-CIC/Boston)" <Art.Barstow@nokia.com>
- Message-Id: <4566A7E5-7701-4229-B540-69A9123D2941@nokia.com>
Based on some feedback I have a revision to the Normative change (same intent) and also a clarification that might be helpful: (A) Revised Proposal Disallow all Transforms except for a single canonicalization transform that is required for every ds:Reference that needs XML content canonicalization. Specifically, this would result in the following changes to the Widget Signature specification [1]: (1) Normative change: (a) Section 7.1 Common Constraints for Signature Generation and Validation Change 3c from "The ds:Reference MUST NOT have any ds:Transform elements." to A ds:Reference to any XML content MUST have a ds:Transform element child that specifies the canonicalization method. Canonical XML 1.1 MUST be specified as the Canonicalization Algorithm for this transform. Sectjon 7.2, add Every ds:Reference to XML content MUST have exactly one ds:Transform element to specify the canonicalization method. Canonical XML 1.1 MUST be specified as the Canonicalization Algorithm. Note that this specifically means that a ds:Reference to the ds:Object element and the ds:Reference to config.xml will each require a ds:Transform element to specify canonicalization method. Section 7.3, add after the third paragraph ("If a ds:KeyInfo element is present") the following new paragraph: When validating a Widget Signature, a validator MUST be able to process a ds:Reference that has a ds:Transform specifying the canonicalization method. The validator MUST be able to process a ds:Reference that specifies Canonical XML 1.1 as a canonicalization method. The validator SHOULD also be able to process XML content with a ds:Reference that does not include a ds:Transform by using the default Canonical XML 1.0 canonicalization method. (2) Non-normative change: 1.4 Example, (formatting appropriately and renumbering lines) Change <Reference URI="config.xml"> to <Reference URI="config.xml"> <Transforms> <Transform Algorithm="http://www.w3.org/2006/12/xml- c14n11"/></Transforms> Change <Reference URI="#prop"> to <Reference URI="#prop"> <Transforms> <Transform Algorithm="http://www.w3.org/2006/12/xml- c14n11"/></Transforms> ---------- (B) Clarificationn There are two different places in XML Signature where XML canonicalization applies, hence leading to possible confusion. First, there is the canonicalization of SignedInfo. This is determined by the CanonicalizationMethod of SignedInfo. This only applies to the canonicalization of SignedInfo itself, however http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm#sec-CanonicalizationMethod Second, there is the canonicalization of XML referenced using a ds:Reference, for example both the ds:Object element and the config.xml in the Widget Signature case. In each case the content obtained from the URI for the ds:Reference requires canonicalization unless already an octet stream, so by default canonicalization is used to convert the XML to an octet stream. If no transform is specified, then the default 1.0 canonicalization algorithm is used. This has two problems - it isn't obvious that canonicalization was done at all and this might become an interop problem, and Canonical XML 1.0 is used instead of 1.1 (that fixes known issues with xml:id). By putting an explicit Transform within each ds:Reference element it makes this all clear. There is no mechanism in XML Signature to specify how all ds:Reference elements to XML are to be canonicalized - it is specified individually for each Reference, and in XML Signature 1.1 and earlier this is done by specifying a transform, as noted in this example 2.1 from XML Signature 1.1: [s05] <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> [s06] <Transforms> [s07] <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> [s08] </Transforms> [s09] <DigestMethod Algorithm="http://www.w3.org/2001/04/ xmlenc#sha256"/> [s10] <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue> [s11] </Reference> http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm#sec-o-Simple regards, Frederick Frederick Hirsch Nokia On Mar 29, 2010, at 4:16 PM, Hirsch Frederick (Nokia-CIC/Boston) wrote: > ISSUE: Widget Signature : Not specifying Canonicalization algorithm > explicitly > > Detail: The current Widget Signature specification does not allow the > use of XML Signature Transforms, however the only means to explicitly > specify the Canonicalization method to use to use a transform (in > XML Signature 1.1 and earlier). Using the default may be > problematical if organizations are not able to confirm the default in > use, or because a different algorithm is required (for example with > an Id on ds:Object Canonical XML 1.1 should be used, but the default > is Canonical XML 1.0) > > PROPOSAL: > > Disallow all Transforms except for a single canonicalization > transform that is required for every ds:Reference that needs XML > content canonicalization. > > Specifically, this would result in the following changes to the > Widget Signature specification [1]: > > (1) Normative change: > > Section 7.1 Common Constraints for Signature Generation and Validation > > Change 3c from "The ds:Reference MUST NOT have any ds:Transform > elements." to > > "The ds:Reference MUST NOT have any ds:Transform elements other than > a single Transform to specify the canonicalization method. A > ds:Transform element specifying Canonicalization method MUST be > present when the ds:Reference is known to reference XML content. > Canonical XML 1.1 MUST be specified as the Canonicalization > Algorithm. For example, a ds:Transform specifying the canonicalization > method is needed for the config.xml reference as well as the Object > reference. > > (2) Non-normative change: > > 1.4 Example > > Add > > <Transforms> <Transform Algorithm="http://www.w3.org/2006/12/xml- > c14n11"/></Transforms> > as the first child element of the following Reference elements in the > example 1.4 (formatting appropriately and renumbering lines): > <Reference URI="config.xml"> > <Reference URI="#prop"> > ---------- > > regards, Frederick > > Frederick Hirsch > Nokia > > [1] http://www.w3.org/TR/widgets-digsig/
Received on Wednesday, 31 March 2010 13:08:29 UTC