AW: Thoughts on Threat Model from Peter Lipp on 2000-01-25 (w3c-ietf-xmldsig@w3.org from January to March 2000)

From: Peter Lipp <Peter.Lipp@iaik.at>
Date: Tue, 25 Jan 2000 14:57:41 +0100
To: "John Boyer" <jboyer@uwi.com>, <reagle@w3.org>
Cc: "DSig Group" <w3c-ietf-xmldsig@w3.org>
Message-ID: <NDBBLDEHJKOODMJCNBNCKEPNDBAA.Peter.Lipp@iaik.at>

> So, the wording of our document would need to be
> changed to say that the signer MUST perform the transforms as part of
> calculating the message.
While I wouldn't really mind saying MUST, I don't see it as a requirement.
Simply because you can't prove that he did or didn't, so saying MUST doesn't
really add anything! Either the signature verifies cryptographically, and it
can be shown that the signed data could be calculated using the original
data and the transform operations - in that case he could have done that or
the signer new of some magic process to achieve the same results and we
wouldn't know the difference.

> their own risk in the sense that the verifier will have the
> burden of proof in showing that they have not materially
> altered the signature. One way to
What burden? If the signature verifies, how can they have altered them?

If you are thinking about the original document, having modified that one
and the transforms to remove the alterations - well, in that case you really
need to include the original document into the signature.

European Digital Signature Guidelines require that the signer must be made
aware of what he signes (for qualified signatures) and that only can be the
transformed document and never the original one.

> At that point, I would ask what point there is in writing down the
> transforms at all.
Honestly, I wouldn't be terribly bothered if they fell out....

> In conclusion, I think it is necessary to REQUIRE applications to
> follow the
> given transforms 'in effect' when creating a signature, and anything short
> of this nullifies the security value of transforms.  I think it is safe to
> RECOMMEND that verifying programs perform the transforms 'in effect'.
As we cannot require any of the parties to do so, and we cannot verify if
they have effectively done so, this does not help. It seems to me to do so
would require forcing the original documents hash into the signature too. I
am not sure I understand XPath enough, but it seems to me that for any given
transformation using XPath there may exist more than one document that give
the same result, applying the samge transform? Correct me if that is wrong,
but if it is true...... then I would suggest putting a ref to the original
doc plus transforms into a manifest would be a better solution.

Peter - who naively had thought we were through that after the FTF :-)

Received on Tuesday, 25 January 2000 08:57:50 UTC