- From: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
- Date: Tue, 29 Jul 2008 16:23:51 +0200
- To: XMLSec <public-xmlsec-maintwg@w3.org>
- Message-ID: <488F27F7.6060005@iaik.tugraz.at>
Dear all, Some steps that - taking a first quick approach - could be sufficient to make sure an enveloping signature V2 may respect the following order for streaming processing: 1. Algorithms 2. Data 3. DigestValues and SignatureValues Here is a quickly drafted proposal about how this could be achieved using the current XMLDSIG syntax: * create a reference that points to the data (the first child of a specific transform), the URI SHOULD be supplied for compatibility. e.g. URI = "#xmlns(ds=http://www.w3.org/2000/09/xmldsig#)xpointer(here()/ancestor::ds:Reference/ds:Transforms[1]/ds:Transform[1]/InlineXML[1]/child::node()[not(self::text())])" * supply the data as a child of the first transform that is supposed to be ignored by old applications and shall return the data contained as its first child. e.g. Algorithm="http://www.w3.org/2008/08/xmldsig#supply-data-transform" * [optional] make sure it is not digested twice (ds:Reference Level & ds:SignedInfoLevel, optional because the interpretation of conflicting double digesting may be difficult in some legal frameworks) e.g. Algorithm="http://www.w3.org/2008/08/xml-exc-c14n12#SkipDataTransform" (maybe use for forwards compatibility) the only means we have for that is the ds:SignedInfo Level c14n, ... Konrad a draft example often says more than thousand words. <Signature Id="MyStreamingEnvelopingSignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2008/08/xml-exc-c14n12#SkipDataTransform"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="#xmlns(ds=http://www.w3.org/2000/09/xmldsig#)xpointer(here()/ancestor::ds:Reference/ds:Transforms[1]/ds:Transform[1]/InlineXML[1]/child::node()[not(self::text())])"> <Transforms> <Transform Algorithm="http://www.w3.org/2008/08/xmldsig#supply-data-transform"> <InlineXML xmlns="" xmlns:ds="" ... further undeclarations ... xmlns:*=""><!-- no space allowed/interpreted here --><MyData></MyData><!-- no space allowed/interpreted here --></InlineXML> </Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2001/04//xmlenc/#/sha256/"/> <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK.../DigestValue> </Reference> </SignedInfo> <SignatureValue>...</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature> -- Konrad Lanz, IAIK/SIC - Graz University of Technology Inffeldgasse 16a, 8010 Graz, Austria Tel: +43 316 873 5547 Fax: +43 316 873 5520 https://www.iaik.tugraz.at/aboutus/people/lanz http://jce.iaik.tugraz.at Certificate chain (including the EuroPKI root certificate): https://europki.iaik.at/ca/europki-at/cert_download.htm
Received on Tuesday, 29 July 2008 14:24:37 UTC