Re: verification anomaly from Martin Labarthe Dubois on 2005-06-10 (w3c-ietf-xmldsig@w3.org from April to June 2005)

From: Martin Labarthe Dubois <dubois@consist.com.ar>
Date: Fri, 10 Jun 2005 18:50:34 -0300
To: <w3c-ietf-xmldsig@w3.org>
Message-ID: <028401c56e06$6e32cf90$3c0201c0@consist.com.ar>

responding to myself, according to:

http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel
4.3.3.2 The Reference Processing Model

The Transforms specified in this document are defined with respect to the input they require. The following is the default signature application behavior:
 
If the data object is an octet stream and the next transform requires a node-set, the signature application MUST attempt to parse the octets yielding the required node-set via [XML] well-formed processing. 
If the data object is a node-set and the next transform requires octets, the signature application MUST attempt to convert the node-set to an octet stream using Canonical XML [XML-C14N]. 
as the data object is a node-set they application must convert to octet using c14n.

and the reference used is

URI="#chapter1" 
Identifies a node-set containing the element with ID attribute value 'chapter1' of the XML resource containing the signature. XML Signature (and its applications) modify this node-set to include the element plus all descendents including namespaces and attributes -- but not comments. 


but we don´t have a next transformation here... we assume that the next transformation is the digest itself, so we apply it anyways?


Martin

----- Original Message ----- 
  From: Martin Labarthe Dubois 
  To: w3c-ietf-xmldsig@w3.org 
  Sent: Thursday, June 09, 2005 2:11 PM
  Subject: verification anomaly


  Hello,

  must be applied c14n transformation by default to the referenced areas? 


------------------------------------------------------------------------------


  I have signed the same document twice, one of the documents is verified as valid with the IBM XML security suit and the other is invalid according to the same suit.

  But if you look at the document reference

  <Reference URI="#T33F4">
  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <DigestValue>kh+fjTciEttBSDaWYFeVw97kGRg=</DigestValue>
  </Reference>

  you can see that no transformation is applied, in particular not c14n.

  and the diference betwen the two documents is than in the valid one the referenced area is c14n transformed and in the invalid
  document no transformation is applied to the referenced area before calculating the referenced area digest.

  they only change that the transformation makes in this case is eliminate one white space where it says:

  <Documento  ID="T33F4"> (you have two whitespaces beten Docmento and ID) after applying c14n is removed.

  The question is shouldn´t be the opposite? If no transformation is mentioned in the reference are, why apply c14n?
  or c14n must be applied as default?
  Thanks in advance,
  Martin

Received on Friday, 10 June 2005 21:50:07 UTC