RE: Comments on XML-Signature Core Syntax from Brian LaMacchia on 1999-10-30 (w3c-ietf-xmldsig@w3.org from October to December 1999)

From: Brian LaMacchia <bal@microsoft.com>
Date: Sat, 30 Oct 1999 14:27:41 -0700
To: "'tgindin@us.ibm.com'" <tgindin@us.ibm.com>
Cc: XML-DSIG <w3c-ietf-xmldsig@w3.org>
Message-ID: <39ADCF833E74D111A2D700805F1951EF0E32EDD2@RED-MSG-06>

Your statement assumes that XML signatures need "the equivalent of PKCS-7 or
CMS authenticated attributes".  They don't.  XML makes things like CMS
signed attributes (and unsigned attributes) completely unnecessary and
obsolete; when you can exactly express the semantic content you wish to
secure as a single XML blob, there's no need to complicate the signature
structure with further adornments.  

In your example below, as you point out the notary does not "sign" the base
document.  Rather, the notary signs a new document which includes four
elements: (1) a "base" document, (2) customer's signature object on base
document, (3) a time-related object (perhaps something like a Surety
timestamp object), and (4) other semantic statements made by the notary.
Together, this compound object, which has its own type and semantics, is
then signed by the notary.  The semantic meaning of the notary-signed object
is clear from its type and contents, and the signed statement stands on its
own, independent of the customer's signature object (2) referenced inside.

If I rephrase your question as, "Assuming that I want to use something like
CMS signed attributes in my XML-DSIG application, is there agreement that
the attributes I define and create go into a SignatureProperties object?", I
believe the answer to this question is "No. It is certainly possible to do
it that way, if you so choose, but it's not required."

					--bal

-----Original Message-----
From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com]
Sent: Friday, October 29, 1999 2:19 PM
To: XML-DSIG
Subject: RE: Comments on XML-Signature Core Syntax


     Is there agreement that  the equivalent of PKCS-7 or CMS authenticated
attributes go into SignatureProperties?  I do think that the equivalents of
CMS authenticated attributes are very valuable in signing applications.  In
particular, in something like a notary service, the most natural form for
an "attestation" by a witness is a CMS authenticated attribute.  An example
of what I mean would be something like the following:
A)   An American notary (no extra legal powers) checks the photographic ID
of the customer who wants a signature notarized.
B)   Today, the notary adds the details of the ID to a large bound book
which is kept under lock and key.
C)   In CMS or PKCS-7, the natural thing to do would be to add an
authenticated attribute for "checked driver's license" or "checked
passport" to the base of the notary's signature, with a value containing,
among other things, "common name", "issuing jurisdiction", "serial number",
and "validity period".  Losing this capability in XML signing would not,
IMHO, be a good thing.

     The notary's signature would be applied to the base document, to the
customer's signature, to the signing time, and to the attestations
together.

          Tom Gindin

Received on Saturday, 30 October 1999 17:36:29 UTC