RE: Scenarios/FAQ from John Boyer on 2000-01-18 (w3c-ietf-xmldsig@w3.org from January to March 2000)

From: John Boyer <jboyer@uwi.com>
Date: Tue, 18 Jan 2000 09:34:37 -0800
To: "Christophe Vermeulen" <Christophe.Vermeulen@alcatel.be>, "DSig Group" <w3c-ietf-xmldsig@w3.org>
Message-ID: <NDBBLAOMJKOFPMBCHJOIMEBDCDAA.jboyer@uwi.com>
Hi Christophe,

I don't know for sure why you are concluding that you cannot use XMLDSIG in
the way you want.  Why don't you send in a few example messages along with
indications of the parts you'd like to sign.  Then, we'll have a better
understanding of whether your conclusion is correct.

Regarding your request to elaborate on 2.answer3 in another FAQ, there won't
be a need to do this.  The current document included only 'rough' answers
that will be elaborated upon in more detail and *including* DSIG markup
examples.  We only wanted to get some questions and rough answers out there
in case anyone felt we were way off base regarding the overall document
structure or the general direction that the answers would take.

John Boyer
Software Development Manager
UWI.Com -- The Internet Forms Company





-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of Christophe
Vermeulen
Sent: Tuesday, January 18, 2000 8:45 AM
To: DSig Group
Cc: John Boyer
Subject: Re: Scenarios/FAQ


Hi,

Andreas Schmidt wrote:
> John Boyer wrote:
>
> I want to briefly comment on FAQs 2) and 5) cited below

As I'm not an active member of this group, I'll state the context :
In the IETF IMPP WG, we are currently defining an XML presence format that
should be understood by "very simple parsers", though allow signing
documents. The idea at the moment is to use multipart/signed for that,
although we would like to evaluate the use of XMLDSIG, especially for
signing only part of the document in some circumstances. But if I believe
the FAQ, it seems not possible to use XMLDSIG in S/MIME. Right ?

So maybe none of the three solutions below would work, as we expect
the XML document to be "untouched". Or could we have a "detached"
signature that refers to the "related"/sibling MIME part ?
(Is there an URL way of refering to siblings ?)

> > 2) I have a whole XML document.  How do I sign it?
> >
> > A1: If the XML document is addressable by a URL, then you could create a
> > detached signature. The SignedInfo Reference would include a URI to the
XML
> > document.
> >
> > A2: If you have a copy of the XML document in some temporary file or
memory
> > buffer, you can put the data in an enveloping signature.  It is likely
that
> > you will have to base-64 encode the XML document since an entire XML
> > document cannot appear as element content.  Alternately, character
sequences
> > forbidden from content by XML can be escaped using the XML escaping
> > mechanism.
> >
> > A3: You could create an enveloped signature inside the XML document. The
> > SignedInfo Reference would refer to the document’s root element.  The
> > signature would have to use transforms to excluded itself from the
message
> > digested in the Reference’s DigestValue.

I think it is needed to elaborate on that last sentence in another FAQ :

Q 2 bis) I want to include an enveloped signature inside the signed
document. How can I exclude itself from the signing process ?

> > 5) I have an XML document.  How do I combine that document with a
signature
> > such that, in the resulting document, the signature signs the original
> > document?
> >
> > A1: Create an enveloping signature around the root element of the
document.
> > A2: Create an enveloped signature.  The signature is placed inside the
> > document, and its SignedInfo Reference contains transforms that omit the
> > signature from the document.

> First it seems to me, that these two could be combined into a single
> question (maybe with subpoints).

They look very close to me too, but maybe there is a difference I don't get
?.

> 1. In answers 2) A3 and 5) A2 the _minimum_ content to be omitted by the
> transformations (DigestValue and SignatureValue), and that it MUST be
omitted
> for the signature to validate should be clearly stated (since I think FAQs
> are for the non-expert).

yes, and I'm definitely one of those. Even further : an example of such a
transform in the FAQ would be appreciated.

Christophe.
------------------------------------------------------------------------
Statutory Disclaimer: The above is not necessarily an Alcatel position.
------------------------------------------------------------------------
          _             Christophe Vermeulen
          V             Security Specialist, Service Deployment Project
 .-----------------.    Alcatel Bell, Research Division DS9 F/C0
 |  A L C A T E L  |    Fr. Wellesplein 1 - B-2018 Antwerp - Belgium
 '-----------------'    Phone: +32 3 240 8942 - Fax: +32 3 240 8485
                        mailto:Christophe.Vermeulen@alcatel.be
                        http://www.rc.bel.alcatel.be/~meulenc (Intranet)
------------------------------------------------------------------------
Received on Tuesday, 18 January 2000 12:38:36 UTC