- From: John Boyer <JBoyer@PureEdge.com>
- Date: Sat, 12 Feb 2005 15:49:01 -0800
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: <www-tag@w3.org>, "Bjoern Hoehrmann" <derhoermi@gmx.net>
Hi Roy,
There's so much wrong with your response that I'm
having trouble even figuring out where to begin...
You can set up a signature that causes your additional
context to break the signature, and you can set one up
so that it doesn't. We tend to recommend not creating
the type of signature you described exactly because it
permits arbitrary qualifications to the signed data,
which can be not just of the form you described but also
of the form not(signed data). Changes to the context do
not affect the serialization over which the hash is
ultimately computed, then the signature is repudiable.
So, because I've spent a long time in the XML security
space and therefore have volumes and volumes of things
to say about good versus bad signatures, it does little
to advance your argument to provide me with a repudiable
signature and then to say look the signature doesn't
break when I change the context.
Then there's the fact that the entire argument is not
analogous to what's being discussed, which is changes
that can be made not to surrounding context but
rather to the very information signed!
And what you said in defense of your interpretation of
namespaces is even more interesting. You present a
"latest" definition created in Jan. 2005 that I've
responded to in Feb. 2005 by saying that it breaks
stuff when retroactively applied to the interpretation
of a 1999 spec in recommendations that were let in 2001
and 2002.
You may have a dictionary with a lot of definitions for
the word identify, but you do nothing to address the fact
that the writings available to us at the time, including the
policy document on namespace conventions by the W3C director,
described the use of an expanded name as allowing us to
distinguish elements or attributes that have different
interpretations despite having equivalent local names.
Why do you find it so unreasonable that the entire XML
signatures working group would conclude that XML could
be signed because the meaning of the signed content
would not be changed?
Next you accuse me of playing games with W3C process when
I'm trying in fact to explain to you how XML signatures
work. I don't get that, esp. when you seem bent on
ignoring the parts of my argument that are inconvenient
to your own.
For example, you persist in claiming that xml is a
reserved namespace long after I already pointed out
that the namespace recommendation reserved *prefixes*
starting with xml. Nothing in the document does what
you describe.
Moreover, you ignored the fact that the 2005 definition
you presented was for URI, which is applicable in many
domains outside of its use in namespaces. So, when I
pointed out to you that your very own definition allowed
for the fact that sometimes URIs "could be" used for
identity, and that in the namespaces rec and the
conventions document there was language to suggest they
were being used in that way, your response was along
the the lines of "nahn ahn"
In the end, you can pull out whatever dictionary you want
and show as many alternate meanings for identity as you
like, but you still haven't shown that the meaning I've
selected is inappropriate. There is a difference between
a wrong conclusion and one that is inconvenient (hopefully
your dictionary does not "identify" those two words, too).
So, fix, fix, fix away if you like. But there is
inconvenience on both sides of the coin. If namespaces
come to have the meaning you describe, then the W3C
should repeal its recommendation of XML signatures in
their entirety. It makes no sense to have a system that
chokes if a single bit of data has been altered, only to
have far more qualitative changes by a change to the
definition of namespace relative to the understanding
the signature group had when it created that recommendation
(a joint venture with IETF, no less).
John Boyer, Ph.D.
Senior Product Architect and Research Scientist
PureEdge Solutions Inc.
-----Original Message-----
From: Roy T. Fielding [mailto:fielding@gbiv.com]
Sent: Thursday, February 10, 2005 6:37 PM
To: John Boyer
Cc: www-tag@w3.org; Bjoern Hoehrmann
Subject: Re: Significant W3C Confusion over Namespace Meaning and Policy
On Feb 10, 2005, at 9:52 AM, John Boyer wrote:
>> I believe it is an error in the digital signature specification
>> to specify an algorithm that is impacted by changes outside
>> the content (such as any changes influenced by context). That
>> error should be fixed regardless of the namespaces discussion.
>
> First, maybe you missed the fact that I was not talking about
> any minor technical issue in C14N that arises *only when a document
> subset* is being processed.
No, but I should have said *if* such an error exists.
> Even if you don't use C14N, a signature is applied over a blob
> of XML markup. The signature is signing the markup because the
> markup is supposed to representative of a concrete set of operations.
>
> That markup can be impacted by changes outside of the content
> if you allow changes the meaning of any name in the namespace or
> if you allow changes to the namespace.
The signature applies to what is signed -- nothing more than that.
> You said "the signature wouldn't work". No! The signature will
> in fact continue to validate, but the subsequent processing of the
> signed information may not be in accord with what the signer
> authorized.
Let's consider a signed purchase order agreement. It contains all
of the usual data for the purchase and is enclosed by a signature.
When that XML blob is placed within a protocol action consistent
with making a transaction, it has one meaning that everyone can
agree upon. When that same XML blob is placed within a document
in which the surrounding text says:
This is the purchase agreement we had in effect between
the years 1999-2001.
then does that context somehow invalidate the signature?
Context does not invalidate a signature because the signature
is upon the ordered bits within the blob, not the meaning of
those bits when interpreted in context. Any other interpretation
of digital signatures is fundamentally flawed because the entire
purpose of such signatures is accountability.
> So, to fix this error, one has to conclude that neither
> changing the namespace nor changing the semantics of the
> namespace are permitted. Again, THIS HAS NOTHING TO DO
> WITH C14N!!!!!
Someone said that c14n contained instructions to treat all
xml namespaced attributes as inherited. That is a rather
obvious error, assuming it actually says it (I haven't checked).
> On a separate point, it is interesting that you've used an RFC let
> in Jan. 2005 to justify your interpretation of words appearing in
> a W3C recommendation published in 1999.
Yes, interesting in that it reflects the most recent international
standard on what it means, agreed to in public, and thoroughly
vetted by the TAG. Namespaces is dependent on URI.
> But, to play ball, let's take a look at the words you quoted, focusing
> on
>
> "These terms should not be mistaken as an assumption that an identifier
> defines or embodies the identity of what is referenced, though
> that may be the case for some identifiers."
>
> Thus, even by your definition, it may be the case for some
> identifiers that they are indeed meant to embody the identity
> of something. And my position remains that the material
> created in 1999 (the namespaces rec and the namespaces conventions)
> were intended to create this class of identifiers.
Great, then we have resolved the question. The namespaces rec
had no such intention, and even if it could be interpreted the
way you suggest, that only means we will have to edit the Namespaces
draft to bring it in line with reality.
Again, please do not play W3C process games here.
> Regardless of what new meaning you and others may want to
> assign to the word identify, the fact remains that their
> usage in dictionaries and computer science texts do not use
> the meaning you define.
>
> So, clearly we're not going to get anywhere by continuing to
> haggle over this point.
Good, because it would be far easier to agree to disagree than
to explain to you the 16 different definitions of identify
<http://dictionary.reference.com/search?q=identify>
only one of which agrees with your assumed meaning.
> What I would like instead is for someone to explain to me
> exactly why it is so hard for implementations to be what
> I perceive to be only slightly more intelligent about their
> handling of namespaces. You make a big deal out of the idea
> of changing the namespace when the language schema changes,
> but this is a trivial thing for an implementer to account for.
Since "xml" is a reserved qualifier, the difference is
between having id available automatically within all XML
languages (a universal standard for a universal concept)
or requiring that any use of it be xmlns declared like
other extended name sets.
Uniformity has considerable value and the "xml" namespace
has *always* been intended for extension. Hence, our prior
conclusion that xml:id is a desirable extension still seems
to be true. If that causes breakage, we need to fix the real
reasons for that breakage, not become reactionary and reduce
XML to the lowest common denominator of past Recommendations.
Cheers,
Roy T. Fielding <http://roy.gbiv.com/>
Chief Scientist, Day Software <http://www.day.com/>
Received on Saturday, 12 February 2005 23:49:39 UTC