Re: Decryption Transform from Joseph M. Reagle Jr. on 2001-06-29 (xml-encryption@w3.org from June 2001)

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Fri, 29 Jun 2001 15:40:07 -0400
To: John Cowan <jcowan@reutershealth.com>
Cc: imamu@jp.ibm.com, maruyama@jp.ibm.com, xml-encryption@w3.org
Message-Id: <4.3.2.7.2.20010629150134.00b9e138@localhost>

[Comment on:
        [1] http://www.w3.org/TR/2001/WD-xmlenc-decrypt-20010626
]

At 13:00 6/29/2001, John Cowan wrote:
>While this transformation is probably a practical necessity,
>I wish to express my concern about the use case given in
>section 1.1.  No one should be in the position of being asked
>to sign a document of which parts are unreadable to him.

I'd tweak that to say, "No one should be in the position of being asked to 
associate a signature semantic with data he did not see." Just as one should 
follow "Only What is 'Seen' Should be Signed" [2], and "'See' What is 
Signed" [3], one should do the same for any association of an explicit or 
implicit semantic (e.g., signature=authorize).

It might be perfectly acceptable to sign data in encrypted form, and all the 
xmlsignature spec says is that a signature is over the encrypted data. The 
problem with the scenario is that there's an implicit signature semantic 
(authorize) associated with data that is not seen; this violates [2,3].

However, Bob could continue sign the encrypted data if you remove the 
implicit semantic and leave it to the bank (maybe based on a similar 
statement made by Bob) to figure out how much to pay and to whom. But this 
is just to continue my point, the scenario needs to be tweaked in a way such 
that it doesn't violate [2,3] but is simple/straightfward.

[2] http://www.w3.org/TR/2001/CR-xmldsig-core-20010419/#sec-Seen
[3] http://www.w3.org/TR/2001/CR-xmldsig-core-20010419/#sec-See

Consequently, I propose:

For example, Alice wishes to order and pay for a book from Bob using the 
mutually trusted payment system ZipPay. Bob creates an order form including 
the book title, price and his account info. He wants to sign all of this 
information, but will subsequently encrypt his account info for ZipPay only. 
He sends this to Alice who affirms the book title and price, signs the form 
and presents the twice-signed order with her own payment information to 
ZipPay. Two validate both signatures ZipPay will have to know that the 
cihper data version of the encrypted information is necessary for validating 
Alice's signature, but the plain data form is necessary for validating Bob's 
signature.

--
Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

Received on Friday, 29 June 2001 15:40:15 UTC