DSig related implementation questions. from by way of on 2000-04-12 (w3c-ietf-xmldsig@w3.org from April to June 2000)

From: by way of <aydos@ece.orst.edu>
Date: Wed, 12 Apr 2000 16:20:09 -0400
To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Message-Id: <3.0.5.32.20000412162009.009fd670@localhost>
 Hi,
  I am a newbie making a research on signing documents using XML based on
  DSIg. I really appreciate if you take some time and understand my
  question and reply me. Please respond.
 
 Thanks.


 My understanding is:
 
 - Locate the web document(s), file(s) we want to sign.
 - Generate an XML file conforming XML-DSig or XML-DSig Schema
 - Define all the necessary transforms, digest functions, etc...
 - Hash the intended resources, and put these hashes under the resource
   element
 - Hash the Signed info (using DOMHash?) element and sign only this hash.
 - I believe, we can either include the document signed or point to it
   using URI, URL, etc..
 
 Now the question, what's next? Do I process this file? Do I parse it?
 What do I send to verifier? How do I send it? What the verifier gets?
 Unparsed or parsed data? Don't you think, in order to verify the
 signature over SignedInfo I should obtain SignedInfo element
 unparsed, so that I can hash it to verify signature? Is there any way to
 recreate original XML file from the DOM presentation (parsed form?)?

 - With the current spects, DTD's and Schemas, do you think I can
   implement Elliptic Curve Digital Signature Algorithm instead of RSA or
DSA?
   What about instead of X509 can we use SPKI certificates? How do I put
   these under keyinfo element? Do I have to refer to our local namespace
   or DTD or Schema at the beginning of the XML document.
   say <Signature xmlns  dsig:www.w3c.org/DSig>
                         mysig:www.mywebsite.com>

  then under key info element
       <mysig:my SPKI certificate>
       <mysig:my SPKI public key>
       <mysig:ECDSA key parameters>, etc...

  
If you don't mind, I have several more questions. I appreciate if you give
a try or point me out to some people who can answer.


1. After parsing an XML document, let's say we have the DOM presentation
   of the original XML document/file. Can we create the original XML doc
   given the DOM representation?

2. Can you list the parsers that support both DTD and XML Schema?

3. Is there any XML parser that I can download, modify and distribute with
   commercial software?

4. When we tell our parsers to preserve whitespace, how does it preserve
   it? Blank, characters? Is this specified?

5. Let's say a party creates a big XML file containing some resources, and
   a signature element which contains the signature values, hash values
   over these resources. If I were to verify this signature, I should have
   access to this original XML file or at least the signature element and
   maybe a manifest inside the document. How do I get that part unparsed?
   What a parser return after parsing a file? How do I obtain the original
   document? How do I find/extract the <signature> objects?


 Thank you very much.

   







             -----------------------------------------   
                          Murat Aydos
                    Oregon State University
               Electrical & Computer Engineering
                        Corvallis, Oregon
                       Tel: (541) 737-4861
                       Tel: (541) 758-1559 (Home)
                       http://www.ece.orst.edu/~aydos
              -----------------------------------------
Received on Wednesday, 12 April 2000 16:22:19 UTC