- From: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
- Date: Tue, 04 Nov 2008 16:09:39 +0100
- To: XMLSec WG Public List <public-xmlsec@w3.org>
- Message-ID: <491065B3.7030108@iaik.tugraz.at>
Dear fellow XML-Sec members, > Draft database certificate use case and requirements for document, > share on mail list Let me first state more precisely that the requirement for XML Signatures to be able to secure derived data is not only limited to data derived from a database. Rationale: The rational for requiring XML Signature applications to remain (at least optionally) supporting standard XML transformations, like stylesheet (XSL) is to have a deployed capability for securing derived data. This data can either be retrieved from a data base or larger xml documents and is to be transformed into human readable formats such as HTML, XHTML, plain test or PDF. cf. http://www.w3.org/TR/xmldsig-core/#sec-Seen > If signing is intended to convey the judgment or consent of a user > (an automated mechanism or person), then it is normally necessary to > secure as exactly as practical the information that was presented to > that user. Note that this can be accomplished by literally signing > what was presented, such as the screen images shown a user. However, > this may result in data which is difficult for subsequent software to > manipulate. Instead, one can sign the data along with whatever > filters, style sheets, client profile or other information that > affects its presentation. 1. Requirement: XML Signatures should be able to secure derived data. The chain of transforms is supposed to be secured by the signature itself and shall express the derivation as reproducible processing to retrieve the actually secured data (the digest input), which is to be presented to the user. cf.: http://www.w3.org/TR/xmldsig-core/#sec-See : > the transformed document that should be represented to the user and > signed As concerns about the trustworthiness and the impracticably and high costs of inspecting and analyzing stylesheets have been raised: 2. Requirement: The ds:SignatureValue and the ds:SignedInfo shall be verified before the ds:Reference elements. Hence only signed ds:Transforms will be executed. Stylesheets referred to via xsl:include or xsl:import will have to be referred to by a ds:Reference previous to the ds:Reference in question (the one including/importing the other stylesheets). 3. Requirement: XML Signature Spect should require implementations to prominently allow to access the digest input. 4. Requirement: Requirements 1. to 3. should not prevent a profile or new markup to clearly designate constrained transforms allowing for streaming processing, potentially including constrained stylesheets. Konrad
Received on Tuesday, 4 November 2008 15:11:01 UTC