Re: Omitting Location and Transforms from SignedInfo from Mack Hicks on 1999-11-17 (w3c-ietf-xmldsig@w3.org from October to December 1999)

From: Mack Hicks <mack.hicks@bankofamerica.com>
Date: Wed, 17 Nov 1999 11:02:48 -0800
To: w3c-ietf-xmldsig@w3.org
Cc: rhimes@nmcourt.fed.us
Message-id: <3832FBD8.6139BF39@bankofamerica.com>

To: XML Digital Signature Working Group

Rich has suggested naming a transform. This prompts my comment.

rhimes@nmcourt.fed.us wrote:  <snip>

> If we have a transform which says "if and only if the document is base64
> encoded, decode it", I believe we should have a standard way of identifying the
> state of the document as base64-encoded (outside SignedInfo).  Otherwise, I
> believe transforms belong outside SignedInfo, and the transform should be just
> "base64-decode".
>
> <snip>

I have had some audit experience in banking as well as information security. I
approach the issue by asking: "How will I describe to the business, auditor, and
information security specialists exactly what is being signed?"

I view transforms as a type of "macro" with full computational powers. Thus the
business (signer) is signing an algorithm to act on data. If any transform can be
placed in signed data, how will the business signer or relying party be able to
determine exactly what the effects of the transform are to the satisfaction of their
auditors?  I think this will be difficult to explain at best.

At the DC IETF WG meeting, several example transforms were suggested. I could see
the business need for many of the examples.  I was just uncomfortable with having
arbitrarily constructed transforms.

Admittedly, "base64 encoding" is an algorithm (transform) operating on the data, but
the algorithm/concept has been fully vetted and reviewed by many parties in the
standards and security community. I have been able to explain "base64 encode/decode"
to auditors and business with success relying on the existing extensive review
literature.

 Following the example of  "base64", I believe that transforms must be "named," well
known algorithms with review by standards bodies. If this is the case, I can see
explaining to auditors and business that the transforms need to be part of the
signedinfo, and they are fixed, well defined, named, and vetted transforms.

--
-------------------------------------------------------------------
Mack Hicks, SVP     mack.hicks@bankofamerica.com
Bank of America  +1-415-436-5809

Received on Wednesday, 17 November 1999 14:03:33 UTC