Re: XML Processing in Current Implementations

At 23:21 7/29/2000 +0900, TAMURA Kent wrote:
>> 2. Otherwise, we'd have to recommend that
 >> also be included in a Signature Reference if we  want to get bit by
 >> changing the stylesheet to affect the result after the
 >> signature.
 >I agree.

I propose that we add a few sentences to section 8.1.3 "See" What is Signed:
Just as a person or automatable mechanism should only sign what it "sees,"
persons and automated mechanisms that trust the validity of a transformed
document on the basis of a valid signature SHOULD operate over the data that
was transformed (including canonicalization) and signed, not the original
pre-transformed data. /+This recommendation applies to transforms specified
within the signature as well as those included as part of the document
itself. For instance, if an XML document includes an embedded stylesheet
[XSLT] it is the transformed document that that SHOULD be represented to the
user and signed. To meet this recommendation where a document references an
external style sheet, the content of that external resource SHOULD also be
signed via a signature Reference -- otherwise the content of that external
content might change which alters the resulting document without
invalidating the signature.+/

I believe the reason these started out as SHOULDs is because we want to be
permissive to applications and we can't enforce/check some of these
recommendations. However, I'd feel more comfortable if some of them where a
MUST. Does the WG think we are communicating the hazards involved in this
domain of transforms well? Will implementors know to lock this stuff down
and or even prohibit it if they don't do a really really good job? What do
others think?

Joseph Reagle Jr.   
W3C Policy Analyst      
IETF/W3C XML-Signature Co-Chair

Received on Tuesday, 1 August 2000 08:44:12 UTC