RE: Summary of Closure Argument from John Boyer on 1999-09-22 (w3c-ietf-xmldsig@w3.org from July to September 1999)

From: John Boyer <jboyer@uwi.com>
Date: Wed, 22 Sep 1999 11:00:15 -0700
To: "Joseph M. Reagle Jr." <reagle@w3.org>, "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Cc: "Tim Berners-Lee" <timbl@w3.org>, <swick@w3.org>
Message-ID: <NDBBLAOMJKOFPMBCHJOIEEFGCBAA.jboyer@uwi.com>
Hello all,

Joseph did a fine summary in my opinion.  He also asked me to post that
which is below as further information.  With both a good theoretical and a
good practical formulation, hopefully we have definitions of closure to suit
everyone's tastes.

Here goes:

1) We want to sign XML, which has (virtually) no vocabulary and semantics of
its own.

2) We want to sign portions of this XML.

3) Since we do not know the vocabulary and semantics beforehand, it is
impossible for us to construct a digraph of data dependencies among the
elements.

4) If such a digraph existed, the transitive closure of a set S of elements
would be all elements reachable from an element of S by a path of data
dependency arcs (directed edges).

5) We do not know what the graph looks like, so it could be a complete
graph.  Hence, any strategy for implementing transitive closure must scan
the entire document.

6) Although we do not know anything about the graph of data dependencies,
the author of a particular XML document does.  He/She knows the vocabulary,
its semantics, and even the usage scenarios for the document.  Hence, the
author *is* qualified to write a node test that decides whether or not each
element of the document is part of the transitive closure.

7) Intent of computing closure on the document is to find every element that
could impact the interpretation of the document.  Whose judgement is used in
determining this?  The document author's judgement is being used since the
author wrote the node test.  Our judgement of semantics within the dsig
specification is not required; rather, we simply need to provide the
document author with a way of expressing his/her judgement regarding what
constitutes closure.

8) An equivalent way of looking at this is that the node test of a signature
expresses the additional changes which can be made to the document after the
signature is created.  These changes are permitted because the signed data
is not considered to be data dependent on these changeable elements.

9) A more practical interpretation of this feature is that it allows the
document author to express precisely what changes can be made after a
signature is affixed to close or finish the document.  The things that can
change or be added to close a document are precisely those that are not in
the transitive closure of the affixed signature.  Whose judgement is used in
determining this?  The document author's judgement is being used since the
author wrote the node test.  Our judgement of semantics within the dsig
specification is not required; rather, we simply need to provide the
document author with a way of expressing his/her judgement regarding what
constitutes closure.

10) Although I will always have something positive to say about an elegant
theoretical formulation, my preference in this case is for the latter
interpretation because I am regularly brought to task to explain why this
theory is necessary.  The latter interpretation focuses one's attention on
the elements in ~T = (document - transitive closure of signature}.

11) The efficacy of a method for providing closure can be measured by the
degree of precision it offers in preventing elements from entering ~T.
Although the marker method obviously prevents modifications of signed
regions, it is not very good at expressing closure because arbitrary
elements can be added to the document without impacting the signature. By
comparison, a node test which directly decides whether to keep each element
based on an XPath is superior since its node test can be constructed to
forbid unwanted changes in the unsigned regions of the document (in other
words, it is superior because it can place greater restrictions on ~T).

12) The direct application of an XPath is also seen to be superior from an
expressive viewpoint.  Recall my assertion that XPath's ancestor-or-self
axis could be used in conjunction with previous-sibling and
following-sibling to simulate the marker method.  Since the direct method
can also express closures that are unexpressible by the marker method, the
marker method is a proper subset of the expressions available by direct
application of an XPath to the document.
Received on Wednesday, 22 September 1999 14:02:43 UTC