RE: Meaning of Document Closure from John Boyer on 1999-09-16 (w3c-ietf-xmldsig@w3.org from July to September 1999)

From: John Boyer <jboyer@uwi.com>
Date: Thu, 16 Sep 1999 11:55:41 -0700
To: "Joseph M. Reagle Jr." <reagle@w3.org>
Cc: "DSig Group" <w3c-ietf-xmldsig@w3.org>
Message-ID: <NDBBLAOMJKOFPMBCHJOICEDLCBAA.jboyer@uwi.com>
<Joseph>
What do you mean by unfinished document? (I think I'm getting the gist, and
with the C example you seem to be referring to the language completeness v.
expressitivity issue...)

Is an unfinished document a document that does not have va syntax required
by the specified grammar of its schema definition?
</Joseph>

<John>
A document is an instance.  If you will, it is an element of the set of all
expressions of a given language.  The language itself consists of a set of
vocabulary tokens and a set of grammar rules (if we were in tuple land,
there would actually be four pieces, but that will just clutter the
discussion).

XML provides the grammar, and extension languages like HTML provide most of
the vocabulary (often via a DTD).  Beyond language recognition, there are
the language semantics.  For example, what does the following markup mean?

<itemlocation content="array">
	<ae content="array">
		<ae>absolute</ae>
		<ae>100</ae>
		<ae>50</ae>
	</ae>
	<ae content="array">
		<ae>extent</ae>
		<ae>200</ae>
		<ae>150</ae>
	</ae>
</itemlocation>

To an XFDL viewer, it means that the item containing this markup occupies a
rectangular region of length 200 width 150 whose upper left corner is at
x=100 and y=50 reading the x-axis down and y-axis to the right.

By examination of all signed items, it is possible to determine whether any
signed item overlaps any other signed item.  Furthermore, by means of a
'document closure' specification within that signature, it is possible to
express the idea that no item  capable of occupying screen space could
possibly have been added to obscure something important like the fine print
of an agreement.

So, yes, you are right that the C example was designed to show that it is OK
for us to create an XML signature syntax that allows the expression of
security problems as long as it is complete enough to allow the expression
of signatures that are free of security problems.

However, the notion of unfinished document is different from what you
described.  An unfinished document does not refer to extensibility of
language vocabulary.  A document is an instance of a given language.  An
unfinished document is simply a document (language instance) that still
requires work to be done on it after a signature is applied.  The ability of
XML signature syntax to express document closure is the ability to precisely
define the vocabulary and grammatical changes that constitute the remaining
work such that deviations from that remaining work will break the signature.

My point is that, as a matter of completeness, the ability to express
document closure must be included if we are to require the ability to sign
partial documents.  If we allow partial document, but add support for
document closure as optional, then almost noone will use document closure
because they will want their signatures to be verifiable by others' software
(XML is about interoperability, after all).  So they have a paradox:

1) use document closure and abandon interoperability
2) abandon document closure and suffer security holes
3) implement application-specific document closure, which also abandons
interoperability since other systems will not really be doing what is
necessary to validate the resource.
</John>

At 08:53 99/09/14 -0700, John Boyer wrote:
 >The common language usage of the term closure is
 >as a noun for the act of closing or finishing (e.g. "We would like closure
 >on this specification process as soon as possible").
 >
 >The current XFDL filters are designed to specify the precise conditions
 >necessary to close or finish a document.  Thus, if person A signs an
 >unfinished document, then the signature filters can be set up to describe
 >precisely what is allowed to change after Person A's signature in order to
 >achieve closure on the document.
 ...
 >Since application
 >designers are able to define part of the language that is being signed
(the
 >keywords used by their brand of XML), our task is simply to provide
 >mechanisms that allow secure signatures to be created regardless of the
 >particular well-formed XML grammatical constructs that are selected by the
 >application designer.  Otherwise, we are deciding to sign a subset of
 >well-formed XML and must go to the trouble of defining that subset and
then
 >considering whether the subset is sufficiently powerful
 >to express the types of signatures that the community at large will need
to
 >create.

_________________________________________________________
Joseph Reagle Jr.
Policy Analyst           mailto:reagle@w3.org
XML-Signature Co-Chair   http://w3.org/People/Reagle/
Received on Thursday, 16 September 1999 14:57:47 UTC