Re: Location shouldn't be signed! from Donald E. Eastlake 3rd on 1999-10-28 (w3c-ietf-xmldsig@w3.org from October to December 1999)

From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
Date: Thu, 28 Oct 1999 09:08:49 -0400
To: Andreas Siglreithmayr <andreas.siglreithmayr@ixos.de>
cc: "W3c-Ietf-Xmldsig (E-mail)" <w3c-ietf-xmldsig@w3.org>, "'dee3@us.ibm.com'" <dee3@us.ibm.com>, Reiner Hüttl <reiner.huettl@munich.ixos.de>, Robert Frost <robert.frost@munich.ixos.de>
Message-Id: <199910281308.JAA09629@torque.pothole.com>

Hi,

From:  Andreas Siglreithmayr <andreas.siglreithmayr@ixos.de>
Resent-Date:  Thu, 28 Oct 1999 04:27:09 -0400 (EDT)
Resent-Message-Id:  <199910280827.EAA17052@www19.w3.org>
Message-ID:  <9F077EBC72BFD211AEF90060080F37366C79FB@muc-mail4.ixos.de>
To:  "W3c-Ietf-Xmldsig (E-mail)" <w3c-ietf-xmldsig@w3.org>
Cc:  "'Joseph M. Reagle Jr.'" <reagle@w3.org>,
            "'Donald E. Eastlake 3rd'"
    	 <dee3@torque.pothole.com>,
            "'dee3@us.ibm.com'" <dee3@us.ibm.com>,
            =?iso-8859-1?Q?Reiner_H=FCttl?= <reiner.huettl@munich.ixos.de>,
            Robert Frost <robert.frost@munich.ixos.de>
Date:  Thu, 28 Oct 1999 10:27:37 +0200

>I wrote several weeks ago (  How to sign several resources (XML and XSL)? ).
>
>	First a question to Donald Eastlake and Joseph Reagle:
>
>	IXOS wants to participate actively in the XMLDsig Working Group.
>
>	How can someone of IXOS become a member of the working group?
>
>	Please reply to reiner.huettl@ixos.de and robert.frost@ixos.de.

As a joint IETF/W3C working group, you can do so by just subscribing
to the mailing list.  Send mail to w3c-ietf-xmldsig-request@w3.org
with "subscribe" in the subject line.  The working group decision
process is the IETF mailing list consensus process.  You can also
ask Joseph Reagle to list you on the participants web page.

>Now my suggestion:
>
>In the draft Section 6.0 is described, how to generate a signature.
>
>It says, that the signature is calculated over SignedInfo.
>
>Signed Info includes the information about the locations of the  data to be
>signed.
>
>I think this isn't practically usefull, because the location in the web or
>on a server of a  DTD or a stylesheet, which are signed could change.
>
>If someone wants to change the position of signed data, all XML signatures,
>which references to this position have to be recalculated otherwise it
>couldn't be  verified.
>
>One solution would be a package, of course. But think about someone who
>signs several pictures.
>The person have to embed the data of the pics in the xml document.
>That would make the xml huge.

In our current vocabulary, I think you mean an Object the includes the
actual data being signed.

>The easiest solution would be not to sign the location.
>
>Another solution made by a colleague of me would be to allow a reference to
>point to a reference, that points to the position of the proper data.
>I think about something like the following:
>
><Signature>
>	<SignedInfo>
>		(CanonicaliziationMethod)
>		(SignatureMethod)
>		<ObjectReference Id=? Location="#reference1" Type=reference
>>
>			(Transforms)
>			(DigestMethod)
>			(DigestValue)
>		</ObjectReference>
>		....
>	<SignedInfo>
>	(SignatureValue)
>	(KeyInfo)
>	(Object)
>	...
>	<Reference Id = "reference1" Location=? Type=? />
>	...
></Signature>

The way to get the effect of what you have above under the current
draft is to have the SignedInfo ObjectReference point to an Object
containing a Manifest and put this second level pointer inside the
Manifest.  In either case, the core behaviour will check the signature
on the "Reference" or Manifest but it would be up to the application
whether it checks the digest in the Manifest or uses any Location
provided in the "Reference".

Alternatively, you really can't check the signature without getting
your hands on the data somehow.  If you put some sort of URL in the
SignedInfo ObjectReference Location, like
http://example.ixos.de/cgi/document-finder?special-document-serial-number
then presumably the core signature verfier would do a call-out to
fetch the data from this URL and your cgi could get the data from
where ever it is.  If there is no way to reliably get the real data
you are trying to secure, there is not way to secure it.

>> -----------------------------------------------------------
>> Andreas Siglreithmayr
>> Intern
>> Innovation
>> 
>> iXOS Software AG
>> Technopark Neukeferloh
>> Bretonischer Ring 12
>> D-85630 Grasbrunn/München
>> NEW TELEPHONE NUMBERS!!
>> Phone: (+49)-(89)-4629-1136
>> Fax: (+49)-(89)-4629-331136
>> World Wide Web: http://www.ixos.com/deutschland
>> E-Mail: andreas.siglreithmayr@ixos.de

Thanks,
Donald

Received on Thursday, 28 October 1999 09:08:59 UTC