- From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
- Date: Tue, 07 Sep 1999 17:20:28 -0400
- To: <w3c-ietf-xmldsig@w3.org>
From: "John Boyer" <jboyer@uwi.com> To: "Peter Norman" <pnorman@mediaone.net>, <w3c-ietf-xmldsig@w3.org> Date: Fri, 3 Sep 1999 14:10:13 -0700 Message-ID: <NDBBLAOMJKOFPMBCHJOICEBBCBAA.jboyer@uwi.com> In-Reply-To: <4.1.19990903151958.00a775a0@pop.ne.mediaone.net> >Peter said: > >I don't want to get into a discussion of how accurately the minutes reflect >the actual remarks of the participants, but I do want to say that I am not >in favor of any form of exclude tag. What I would like to see are >processing instructions that can serve as reference points on which to base >whatever form of pointer we decide to use. There is no guarantee someone >signing a document will be able to make any substantive changes, since >either the DTD might not allow this or the document may already be signed. >Since it is also possible that the portion to be signed doesn't have a >unique ID, we need some construct that people can add as a reference for >pointers, that is not included in the hash. This would allow multiple >overlapping signatures on arbitrary XML documents. I think the word >'element' attached to dsig:target is misleading. I would prefer processing >instruction. Something like ><?dsig target="xxx"?>. > ><John> >1) The Xpointer based extract tag allows multiple overlapping signatures >using the exact commands demonstrated in the FTF. Furthermore, those >Xpointers can be constructed without needing to rely on uniquely identified >elements (Xpointers can count children, siblings, ancestors, and descendants >if necessary, and they can compare on tag name, attribute value or character >content, and they can combine multiple filtering conditions using the three >standard logical operators). The specific problem to be solved was where additional elements may legitimately be inserted outside of the area signed so that counting children, for example, doesn't work. >2) Processing instructions can be victimized by the c14n. For obvious >reasons, it is necessary to digitally sign all information that describes >how the document was filtered. So, if an application requires c14n of >signature content, and we use the processing instruction idea, then those >people will not be able to create their applications. I'm not quite sure what you mean here. I think we decided on a pipeline so that if you apply an Xpointer that used <?dsig start="..." ?> and <?dsig end="..." ?> and looked for specific matching "..." and then followed that by a canoncialization that removed PIs, you get the desired result assuming the application does not make other use of PIs and that the application does not use any signatures based on a canonicalization which would leave the PIs in there (since such signatures would fail when PIs are inserted). (You could relax the restriction on other use of PIs by using a canonicalization that only removed dsig PIs.) >3) <Peter>There is no guarantee that someone signing a document will be able >to make any substantive changes, since either the DTD might not allow this >or the document may already be signed.</Peter> >(John)I do not see how this substantiates anything related to security since it is >quite a different statement than "There is a guarantee that noone signing a >document will be able to make substantive changes...". I think he was arguing for the PI as not being "substantive" or at least not something which might conflict with the DTD the way an attribute might. If you have a document <doc><a/><b/><c/></doc> and it is already partly signed this way as in <doc></a><?dsig start=1?> <b/><c/><?dsig end=1?><sig..1../></doc> then you can still sign even overlapping subsets of the document as in <doc><?dsig start=2?> <a/><?dsig start=1?> <b/><?dsig end=2?><c/><?dsig end=1?><sig..1../><sig..2../></doc>. >4) Correct me if I've misinterpreted, but the dsig:target pi seems to be a >hook that, for a given signature, identifies the element that is sprinkled >through the document markingmarking the beginnings and ends of portions of >the document that should be signed. This has the following problems: > a) Does not achieve document closure Well, it is certainly not proposed as the only technique but it seems to me that it can be used to achieve document closure at least to the extent that Xpointer can. Just put your signatures outside the areas demarked by the dsig begin/end PIs but inside the document and the signatures don't force any change in the document type. > b) Is difficult or impossible to filter external resources. The PI marker technique assumes you can edit these PIs into things being signed (and therefore assumes them to be XML). You might or might not be able to do that. The technique doesn't work if you can't. > c) Must necessarily exclude the marker elements, which loses filtration >information and reintroduces the same application security concerns that >were mentioned in objection to putting a dsig:exclude attribute on elements. When any part of something is not signed, there is reason to be careful. I don't see why PI based Xpointer extraction is particularly worse than relative addressing Xpointer extraction (using child number, etc.) in this regard. I didn't see that the dsig:exclude attribute was so terrible either but I don't think we want too many different ways of doing the same thing. If you use the dsig:exclude attribute (which I don't think is worth including in the standard), your application has to be designed to be unspoofable by such elements since a bad guy could insert them. If you use begin/end PIs, your application has to be designed to be unspoofable by elements outside such sequences since a bad guy can add/delete them. If you use Xpointer extraction, you application hs to be designed to be unspoofable by elements that are not extracted since a bad guy can manipulate them. So what? >John Boyer >Software Development Manager >UWI.Com -- The Internet Forms Company > ></John> Thanks, Donald =================================================================== Donald E. Eastlake 3rd +1 914-276-2668 dee3@torque.pothole.com 65 Shindegan Hill Rd, RR#1 +1 914-784-7913(w) dee3@us.ibm.com Carmel, NY 10512 USA
Received on Tuesday, 7 September 1999 17:20:41 UTC