- From: Winchel 'Todd' Vincent, III <Winchel@mindspring.com>
- Date: Thu, 24 Jun 1999 15:15:53 -0400
- To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
>From: Ralph R. Swick <swick@w3.org> Sent: Wednesday, June 23, 1999 4:36 PM > > The specific point at issue here is whether changes to a document's > "defining document"; i.e. today its XML DTD, tomorrow its XML Schema, > can alter the interpretation of a document. If changes can alter > the intended application interpretation, then the signature process > must explicitly account for this in some manner. > > One could certainly include this case in the generalization to any > object that is external to the signed document but I suspect that > the DTD or XML Schema is sufficiently important to warrant explicit > treatment in the signature specification. > From: Bugbee, Larry Wednesday, June 16, 1999 3:03 PM > > 1. If person A signs a portion of a document and it is > altered and signed by B, will you be able to later > know what A signed? The following is both a legal perspective and a technical/policy solution for the above issue(s): The law generally requires an "original" to be introduced into evidence. Anything but an "original" has historically not been considered credible evidence. As modern devices, such as copiers, have made it cheap and easy to duplicate "originals" in a way that does not materially alter their credibility, the general rule has relaxed. So, for instance, Federal Rule of Evidence 1002 states: RULE 1002. REQUIREMENT OF ORIGINAL To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by Congress. However, Federal Rule of Evidence 1003 relaxes this rule by stating: RULE 1003. ADMISSIBILITY OF DUPLICATES A duplicate is admissible to the same extent as an original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original. The problem with electronic records is that they are easily and ubiquitously copied and easily and very often undetectably altered. Applying a digital signature to an electronic record does not solve the copying problem, but it does help us to know whether a document has been altered. The problem that Ralph correctly points out (which is related to the question we discussed at the Workshop -- how far do you follow a link and do you expand entities) is that if you refer to another "object" (such as a schema definition) for the meaning of your mark-up, then you have changed the meaning of your document. So, while the digital signature give us pretty good assurance that the bits and bytes have not been altered, this assurance is not exactly what we're after -- what we really want is to make sure the meaning has not changed -- i.e., that we have credible evidence. The solution to the problem is technical but ultimately rests on policy -- it combines a mixture of either unique OIDs or URIs and reliable time stamps. If Document A relies upon its meaning from Schema B, then if Schema B changes, then so does the meaning of Document A. (This is Ralph's problem.) The solution to this problem is to make Schema B unambiguous and set the unambiguity in time. To make Schema B unambiguous, I either give it unique OID or a URI. (Note, this is a matter of policy.) (Also, I don't care whether you use an OID or a URI, as long as the reference is unique and will reliably remain unique). Once Schema B is unambiguous, you must make sure that it does not change over time. If OID #1001 (or URI http://www.w3.org/SchemaB/) references Schema B Version 1, then we haven't solved the problem if/when Schema B changes to Version 2. Version 2 will change the meaning of Document A if document A refers to it wit the same OID/URI. Relying on authors to correctly state versions numbers is OK, but to really feel safe we probably want to timestamp Schema B, Version 1 with a reliable timestamp. In this way, we can fix the meaning in time, a very safe solution until someone invents a time machine. (Of course, determining a reliable source for a timestamp is also a matter of policy.) In a conversation with Barbra Fox at the W3C Signed XML workshop, she told me that application developers are largely ignoring OIDs. I was very surprised to find that the Namespace Recommendation did not require URI to be unique. Allow me to switch back to the law: Although modern statutes have changed this requirement, to have legal title in property, the chain of title for property must be traced back from owner, to owner, to owner until you arrive a the sovereign -- the only "power" that has the authority to grant ownership is someone other than the State. Back to technology: Technology faces the same problem. I'm less a technologist that anyone on this list, but I've seen in it certificate chains. I see it policy statements about implemented technology. We face the same problem here -- somehow you have to find the root authority or, in our case, the meaning of the object you are referencing. The only way I can figure to do this is with a combination of unique object identifiers and time stamps. Todd Vincent (not Glassy, but you might not know it from the above . . . :-)
Received on Thursday, 24 June 1999 15:13:28 UTC