Re: [widgets] Questions regarding to "Test Suite for the XML Digital Signatures For Widgets Specification " from Marcos Caceres on 2011-01-31 (public-webapps@w3.org from January to March 2011)

From: Marcos Caceres <marcosc@opera.com>
Date: Mon, 31 Jan 2011 20:18:54 +0100
To: Arthur Barstow <art.barstow@nokia.com>
CC: ext Andrey Nazarov <Andrey.Nazarov@oracle.com>, public-webapps <public-webapps@w3.org>
Message-ID: <4D470B1E.20006@opera.com>

On 1/31/11 7:52 PM, Arthur Barstow wrote:
> Andrey - on January 26, Marcos proposed changing the c14n algorithm in
> [1] and [2] and notified the group in [3] that he updated the Editor's
> Draft [ED] to reflect his proposal. He included rationale in [1].
>
> Marcos - in what way(s) does your proposal break the signer and
> validator conformance classes as defined in the June 2010 CR [CR]?

It would remove all references and dependencies on XML Canonicalization 
1.1 in favor of XML Canonicalization 1.0. Explicit <tranform> to 
Canonicalization 1.1 would no longer be needed (XML Dig Sig just 
defaults to 1.0). Everything else stays the same.

> -Art Barstow
>
> [1] http://lists.w3.org/Archives/Public/public-webapps/2011JanMar/0247.html
> [2] http://lists.w3.org/Archives/Public/public-webapps/2011JanMar/0250.html
> [3] http://lists.w3.org/Archives/Public/public-webapps/2011JanMar/0254.html
> [ED] http://dev.w3.org/2006/waf/widgets-digsig/
> [CR] http://www.w3.org/TR/2010/CR-widgets-digsig-20100624/#conformance
>
>
> -------- Original Message --------
> Subject: 	Questions regarding to "Test Suite for the XML Digital
> Signatures For Widgets Specification "
> Resent-Date: 	Thu, 27 Jan 2011 18:11:37 +0000
> Resent-From: 	<public-webapps@w3.org>
> Date: 	Thu, 27 Jan 2011 20:12:28 +0300
> From: 	ext Andrey Nazarov <Andrey.Nazarov@oracle.com>
> To: 	<public-webapps@w3.org>
>
>
>
> Hello All,
> I hope it is right place to ask about Test Suite for the XML Digital
> Signatures For Widgets Specification.
> If not,  where is better?
>
> I. Test 19rsa.wgt.
>
> I found that the author-signature.xml and signature1.xml files were
> corrected today (27-Jan-2011).
> It seems to me that this correction broken correspondence betwee
> specification and test.
>
> Why values of the "CanonicalizationMethod Algorithm" attribute of
> SignedInfo and "Transform Algorithm" attribute of Reference were changed
> to the same value http://www.w3.org/TR/2001/REC-xml-c14n-20010315?
>
> The specification document "Digital Signatures for Widgets W3C Candidate
> Recommendation 24 June 2010"
> (http://www.w3.org/TR/widgets-digsig/#xmldsig11)
> has the following sentences:
>
> 1. The following canonicalization algorithms /MUST/ be supported by an
> implementation <http://dev.w3.org/2006/waf/widgets-digsig/#implementation>:
> Exclusive XML Canonicalization 1.0 (omits comments) [XML-exc-C14N]
> <http://dev.w3.org/2006/waf/widgets-digsig/#xml-exc-c14n>:|http://www.w3.org/2001/10/xml-exc-c14n#|
> (see chapter8.3. Canonicalization Algorithms)
> I think it means that the "CanonicalizationMethod Algorithm" attribute
> of SignedInfo must be |http://www.w3.org/2001/10/xml-exc-c14n#
>
> 2. |A |ds:Reference| to same-document XML content /MUST/ have a
> |ds:Transform| element child that specifies the canonicalization method.
> Canonical XML 1.1 /MUST/ be specified as the Canonicalization Algorithm
> for this transform.
> (see chapter9.2. Common Constraints for Signature Generation and Validation)
> I think it means that the "Transform Algorithm" attribute of
> ds:Transform must be http://www.w3.org/2006/12/xml-c14n11..
>
> ||3. An implementation /SHOULD/ be able to process a |ds:Reference| to
> same-document XML content when that |ds:Reference| does not have a
> |ds:Transform| child element, for backward compatibility. In this case
> the default canonicalization algorithm Canonical XML 1.0 will be used.
> (see chapter9.2. Common Constraints for Signature Generation and Validation)
> I think only for this case could be used the
> "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" URI.
>
> Why this correction was done?
>
> II. Test 19dsa.wgt.
> Could somebody confirm that this test is correct?
> The deal is when I look on the certificate that is  used for this test I
> see that it contain information about DSA Public Key, but the Signature
> Algorithm for this certificate is pointed as SHA1withRSA. Is it correct?
>
> Thank you in advance,
> Andrey
>

-- 
Marcos Caceres
Opera Software

Received on Monday, 31 January 2011 19:19:36 UTC