- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Wed, 13 Oct 1999 15:52:36 -0400
- To: dee3@us.ibm.com
- Cc: w3c-ietf-xmldsig@w3.org
At 23:47 99/10/12 -0400, dee3@us.ibm.com wrote: >Only What is Signed is Secure > >The flexible Transformations mechanism, including canonicalization and explicit >filtering and extraction, permit securing only a subset of data in an object. >This is good for many applications where a limited portion of an object must >change after the signature or different signatures secure different parts or the >application modifies aspects of the object that are not significant and can be >omitted from signature coverage or the like. Keep in mind that whenever this >is done, those aspects that are not signed can be arbitrarily modified and the >signature will still validate. Given this section is called "transformations" for good reason, I'm concerned about the reliance upon "subset of data". How about something like: The Transformations mechanism permits the signer to transform a source document into a derived document. Two obvious purposes for this feature is to canonicalize a document, or perform filtering and extraction such that the application derives and signs only a subset of the source content. Consequently, those portions of the source document that are not reflected in the derived document can be arbitrarily modified and the signature will still validate. >Only What is "Seen" Should be Signed > >If signing is intended to convey the judgment or consent of an automated >mechanism or person concerning some information, then it is normally necessary >to secure as exactly as possible the information that was presented to that >mechanism or person. Note that this can be accomplished by literally signing >what was presented, for example the screen images shown a user. However, this >may result in data which it is difficult for subsequent software to manipulate. >It can be effective instead to secure the full data along with whatever filters, >style sheets, or the like were used to control the part of the information that >was presented. I think I prefer the following <smile> Applications are recommended to ensure signers understand the actual resulting content that is being signed after transformations are applied. Users should not be tricked into signing a native content that is transformed into something that the user would not have signed otherwise. This recommendation applied to transformations specified in the signature block, as well as transformations found within the document itself. _________________________________________________________ Joseph Reagle Jr. Policy Analyst mailto:reagle@w3.org XML-Signature Co-Chair http://w3.org/People/Reagle/
Received on Wednesday, 13 October 1999 16:00:00 UTC