- From: Frederick Hirsch <hirsch@zolera.com>
- Date: Fri, 11 Jan 2002 11:04:17 -0500
- To: <xml-encryption@w3.org>
A couple of nits regarding the editors draft of XML Encryption and suggestions for possible improvement or clarification *** section 5.4.2 RSA-OAEP s/calculated use the/ calculated using the/ *** 5.9.1 Inclusive Canonicalization "Canonical XML [Canon] is a method of serializing XML which includes the in scope namespace and xml namespace attribute context from ancestors of the XML being serialized." I assume "in scope namespace" context means prefixes and "xml namespace attribute context" means xmlns prefixed namespace declaration attributes *** 5.9.2 Exclusive canonicalization "It is the recommended method where the outer context of a fragment which was signed and then encrypted may be changed. Otherwise the validation of the signature over the fragment may fail because the canonicalization by signature validation may include unnecessary namespaces into the fragment." I would reword this: Exclusive canonicalization is recommended when an XML fragment is signed, encrypted and subsequently moved by an application into a different XML environment. In order for the signature to verify over the decrypted content, no additional namespace declarations must be made explicit in the content after signing. Ideally, Exclusive canonicalization would be applied before signing, but if the content is canonicalized before encryption, exclusive canonicalization is recommended. *** 6.1 Relationship to digital signatures I think this section can be made clearer with a bit of reorganization. I removed this sentence "This vulnerability can be mitigated by using secure hashes and nonces in the text being processed." since I don't understand the use of secure hashes to mitigate the risks. A proposed revision to the section is: The application of both encryption and digital signatures over portions of an XML document can make subsequent decryption and signature verification difficult. In particular, when verifying a signature one must know whether the signature was computed over the encrypted or unencrypted form of elements. We suggest using the "decrypt-except" signature transform [XML-DSIG-Decrypt] when signing to clarify this potential ambiguity. It works as follows: during signature transform processing, if you encounter a decrypt transform, decrypt all encrypted content in the document except for those excepted by an enumerated set of references. A separate, but important, issue is the potential for introducing cryptographic vulnerabilities when combining digital signatures and encryption over a common XML element. Hal Finney has suggested that encrypting digitally signed data, while leaving the digital signature in the clear, may allow plaintext guessing attacks. In accordance with the requirements document [EncReq] the interaction of encryption and signing is an application issue and out of scope of the specification. However, we recommend that when data is encrypted, any digest or signature over that data should be encrypted, reducing the possibility of a plaintext attack. Additionally, while ... 1. Signing encrypted data should not be taken to imply integrity of the underlying plaintext data, only signatures over the plaintext [Davis] 2... 3. Encryption should not be inferred to imply any content integrity, if integrity is required, signatures should be used. *** References I note the reference to exclusive canonicalization is missing (draft work in progress reference?) --- Frederick Hirsch Zolera Systems, http://www.zolera.com/ Information Integrity, XML Security
Received on Friday, 11 January 2002 10:57:33 UTC