W3C home > Mailing lists > Public > xml-encryption@w3.org > January 2002

wording suggestions

From: Frederick Hirsch <hirsch@zolera.com>
Date: Fri, 11 Jan 2002 11:04:17 -0500
To: <xml-encryption@w3.org>
A couple of nits regarding the editors draft of XML Encryption and
suggestions for possible
improvement or clarification

*** section 5.4.2 RSA-OAEP
s/calculated use the/ calculated using the/

*** 5.9.1 Inclusive Canonicalization

"Canonical XML [Canon] is a method of serializing XML which includes the in
scope namespace and xml namespace attribute context from ancestors of the
XML being serialized."

I assume "in scope namespace" context means prefixes and "xml namespace
attribute context" means xmlns prefixed namespace declaration attributes

*** 5.9.2 Exclusive canonicalization
"It is the recommended method where the outer context of a fragment which
was signed and then encrypted may be changed. Otherwise the validation of
the signature over the fragment may fail because the canonicalization by
signature validation may include unnecessary namespaces into the fragment."

I would reword this:

Exclusive canonicalization is recommended when an XML fragment is signed,
encrypted and subsequently moved by an application into a different XML
environment. In order for the signature to verify over the decrypted
content, no additional namespace declarations must be made explicit in the
content after signing. Ideally, Exclusive canonicalization would be applied
before signing, but if the content is canonicalized before encryption,
exclusive canonicalization is recommended.

*** 6.1 Relationship to digital signatures

I think this section can be made clearer with a bit of reorganization.
I removed this sentence
"This vulnerability can be mitigated by using secure hashes and nonces in
the text being processed."
since I don't understand the use of secure hashes to mitigate the risks. A
proposed revision to the section is:

The application of both encryption and digital signatures over portions of
an XML document can make subsequent decryption and signature verification
difficult. In particular, when verifying a signature one must know whether
the signature was computed over the encrypted or unencrypted form of
elements. We suggest using the  "decrypt-except" signature transform
[XML-DSIG-Decrypt] when signing to clarify this potential ambiguity. It
works as follows: during signature transform processing, if you encounter a
decrypt transform, decrypt all encrypted content in the document except for
those excepted by an enumerated set of references.

A separate, but important, issue is the potential for introducing
cryptographic vulnerabilities when combining digital signatures and
encryption over a common XML element. Hal Finney has suggested that
encrypting digitally signed data, while leaving the digital signature in the
clear, may allow plaintext guessing attacks. In accordance with the
requirements document [EncReq] the interaction of encryption and signing is
an application issue and out of scope of the specification. However, we
recommend that when data is encrypted, any digest or signature over that
data should be encrypted, reducing the possibility of a plaintext attack.

Additionally, while ...

1. Signing encrypted data should not be taken to imply integrity of the
underlying plaintext data, only signatures over the plaintext [Davis]
3. Encryption should not be inferred to imply any content integrity, if
integrity is required, signatures should be used.

*** References
I note the reference to exclusive canonicalization is missing (draft work in
progress reference?)

Frederick Hirsch
Zolera Systems, http://www.zolera.com/
Information Integrity, XML Security
Received on Friday, 11 January 2002 10:57:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:13:06 UTC