Schema validation and signing/encryption

In our call on 19 August we discussed issues related to schema  
validation in conjunction with signing and encryption [1].

The fundamental issue is that signing (and encryption) can modify an  
XML document, by either adding ds:Signature element(s) to the  
document or xenc:EncryptedData elements (in which case other elements  
originally in the document may also "disappear").

Dealing with the simpler case of signatures, authors of XML Schema  
can anticipate the addition of XML Signature elements either by  
defining optional  ds:Signature elements in the schema, or using XML  
Schema wildcards to enable extension of the schema.

If this is not done, then addition of one or more XML Signature  
elements to the document will cause XML Schema validation to fail  
(though the document will remain well-formed).

One possible solution that has been mentioned is to layer signature  
processing and schema validation, and thus only XML Schema validate  
after signatures have been processed (and removed).

This can be problematical in a workflow where multiple signatures are  
added to a document, for example a signature  and then a  
countersignature, where the counter-signing application considers the  
entire document to include the first signature. In this case removing  
the first signature is counter to the semantics and intent of the  
application.

Thus it may be appropriate to either request all schema authors to  
adopt a best practice of anticipating one or more signatures and/or  
encryption, or to attempt to address this in the core XML Schema  
specification - in other words treat security as a fundamental aspect  
schema in general.

regards, Frederick

Frederick Hirsch
Nokia

[1] http://www.w3.org/2008/08/19-xmlsec-minutes.html#item04

This should close ACTION-44

Received on Wednesday, 27 August 2008 18:54:30 UTC