Edit comment LC-2502 for XML Security Working Group

Quick access to LC-2502 LC-2503 LC-2504

Comment LC-2502

Comment Shortname:

Commenter: Sean Mullan <sean.mullan@oracle.com>

Message-id:

Section of the document concerned:

[Free text description]Document as a wholeXML Signature Syntax and Processing Version 1.1 /**/... XML Signature Syntax and Processing Version 1.1 W3C Candidate Recommendation 03 March 2011 Abstract This document specifies XML digital signature proc... Status of This Document This section describes the status o... Table of Contents 1. Introduction 1.1 Editorial and Confo... 1. Introduction This document specifies XML syntax and proc... 1.1 Editorial and Conformance Conventions For readability,... 1.2 Design Philosophy The design philosophy and requirement... 1.3 Versions Namespaces and Identifiers This specification... 1.4 Acknowledgements The contributions of the members of th... 2. Signature Overview and Examples This section provides an... 2.1 Simple Example (Signature, SignedInfo, Methods, and Ref... 2.1.1 More on Reference [s05] <Reference URI="http://... 2.2 Extended Example (Object and SignatureProperty) This sp... 2.3 Extended Example (Object and Manifest) The Manifest ele... 3. Processing Rules The sections below describe the operati... 3.1 Signature Generation The required steps include the gen... 3.1.1 Reference Generation For each data object being signe... 3.1.2 Signature Generation Create SignedInfo element with... 3.2 Core Validation The required steps of core validation i... 3.2.1 Reference Validation Canonicalize the SignedInfo ele... 3.2.2 Signature Validation Obtain the keying information f... 4. Core Signature Syntax The general structure of an XML si... 4.1 The ds:CryptoBinary Simple Type This specification defi... 4.2 The Signature element The Signature element is the root... 4.3 The SignatureValue Element The SignatureValue element c... 4.4 The SignedInfo Element The structure of SignedInfo incl... 4.4.1 The CanonicalizationMethod Element CanonicalizationMe... Note 4.4.2 The SignatureMethod Element SignatureMethod is a requ... 4.4.3 The Reference Element Reference is an element that ma... 4.4.3.1 The URI Attribute The URI attribute identifies a da... 4.4.3.2 The Reference Processing Model Note: XPath is recom... Note 4.4.3.3 Same-Document URI-References Dereferencing a same-d... 4.4.3.4 The Transforms Element The optional Transforms elem... 4.4.3.5 The DigestMethod Element DigestMethod is a required... 4.4.3.6 The DigestValue Element DigestValue is an element t... 4.5 The KeyInfo Element KeyInfo is an optional element that... binary (ASN.1 DER) X.509 Certificate 4.5.1 The KeyName Element The KeyName element contains a st... 4.5.2 The KeyValue Element The KeyValue element contains a... 4.5.2.1 The DSAKeyValue Element Identifier Type="http://ww... http://www.w3.org/2000/09/xmldsig#DSAKeyValue 4.5.2.2 The RSAKeyValue Element Identifier Type="http://ww... http://www.w3.org/2000/09/xmldsig#RSAKeyValue 4.5.2.3 The ECKeyValue Element Identifier Type="http://www... http://www.w3.org/2009/xmldsig11#ECKeyValue 4.5.2.3.1 Explicit Curve Parameters The ECParameters elemen... 4.5.2.3.2 Compatibility with RFC 4050 Implementations that... 4.5.3 The RetrievalMethod Element A RetrievalMethod element... 4.5.4 The X509Data Element Identifier Type="http://www.w3.... http://www.w3.org/2000/09/xmldsig#X509Data 4.5.4.1 Distinguished Name Encoding Rules To encode a disti... 4.5.5 The PGPData Element Identifier Type="http://www.w3.o... http://www.w3.org/2000/09/xmldsig#PGPData 4.5.6 The SPKIData Element Identifier Type="http://www.w3.... http://www.w3.org/2000/09/xmldsig#SPKIData 4.5.7 The MgmtData Element Identifier Type="http://www.w3.... http://www.w3.org/2000/09/xmldsig#MgmtData 4.5.8 XML Encryption EncryptedKey and DerivedKey Elements T... 4.5.9 The DEREncodedKeyValue Element Identifier Type="http... http://www.w3.org/2009/xmldsig11#DEREncodedKeyValue 4.5.10 The KeyInfoReference Element A KeyInfoReference elem... 4.6 The Object Element Identifier Type="http://www.w3.org/... "http://www.w3.org/2000/09/xmldsig#Object" 5. Additional Signature Syntax This section describes the o... 5.1 The Manifest Element Identifier Type="http://www.w3.or... "http://www.w3.org/2000/09/xmldsig#Manifest" 5.2 The SignatureProperties Element   Identifier Type="htt... http://www.w3.org/2000/09/xmldsig#SignatureProperties 5.3 Processing Instructions in Signature Elements No XML pr... 5.4 Comments in Signature Elements XML comments are not use... 6. Algorithms This section identifies algorithms used with... 6.1 Algorithm Identifiers and Implementation Requirements T... *note: Note that the same URI is used to identify base64 bo... **note: The Enveloped Signature transform removes the Signa... 6.2 Message Digests This specification defines several poss... 6.2.1 SHA-1 Identifier: http://www.w3.org/2000/09/xmldsig#... http://www.w3.org/2000/09/xmldsig#sha1 6.2.2 SHA-256 Identifier: http://www.w3.org/2001/04/xmlenc... http://www.w3.org/2001/04/xmlenc#sha256 6.2.3 SHA-384 Identifier: http://www.w3.org/2001/04/xmldsi... http://www.w3.org/2001/04/xmldsig-more#sha384 6.2.4 SHA-512 Identifier: http://www.w3.org/2001/04/xmlenc... http://www.w3.org/2001/04/xmlenc#sha512 6.3 Message Authentication Codes MAC algorithms take two im... 6.3.1 HMAC Identifier: http://www.w3.org/2000/09/xmldsig#h... http://www.w3.org/2000/09/xmldsig#hmac-sha1 http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 http://www.w3.org/2001/04/xmldsig-more#hmac-sha384 http://www.w3.org/2001/04/xmldsig-more#hmac-sha512 6.4 Signature Algorithms Signature algorithms take two impl... 6.4.1 DSA Identifier: http://www.w3.org/2000/09/xmldsig#ds... http://www.w3.org/2000/09/xmldsig#dsa-sha1 http://www.w3.org/2009/xmldsig11#dsa-sha256 Security considerations regarding DSA key sizes 6.4.2 RSA (PKCS#1 v1.5) Identifier: http://www.w3.org/2000... http://www.w3.org/2000/09/xmldsig#rsa-sha1 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 Security considerations regarding RSA key sizes 6.4.3 ECDSA Identifiers: http://www.w3.org/2001/04/xmldsig... http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512 6.5 Canonicalization Algorithms If canonicalization is perf... 6.5.1 Canonical XML 1.0 Identifier for required Canonical... 6.5.2 Canonical XML 1.1 Identifier for required Canonical... 6.5.3 Exclusive XML Canonicalization 1.0 Identifier for Ex... 6.6 Transform Algorithms A Transform algorithm has a single... 6.6.1 Canonicalization Any canonicalization algorithm that... 6.6.2 Base64 Identifiers: http://www.w3.org/2000/09/xmldsi... http://www.w3.org/2000/09/xmldsig#base64 6.6.3 XPath Filtering Identifier: http://www.w3.org/TR/199... Function: node-set here() 6.6.4 Enveloped Signature Transform Identifier: http://www... http://www.w3.org/2000/09/xmldsig#enveloped-signature 6.6.5 XSLT Transform Identifier: http://www.w3.org/TR/1999... 7. XML Canonicalization and Syntax Constraint Consideration... 7.1 XML 1.0 Syntax Constraints, and Canonicalization XML 1.... 7.2 DOM/SAX Processing and Canonicalization In addition to... 7.3 Namespace Context and Portable Signatures In [XPATH] an... 8. Security Considerations The XML Signature specification... 8.1 Transforms A requirement of this specification is to pe... 8.1.1 Only What is Signed is Secure First, obviously, signa... 8.1.2 Only What is "Seen" Should be Signed Additionally, th... 8.1.3 "See" What is Signed Just as a user should only sign... 8.2 Check the Security Model This specification uses public... 8.3 Algorithms, Key Lengths, Certificates, Etc. The strengt... 8.4 Error Messages Implementations should not provide detai... 9. Schema 9.1 XSD Schema XML Signature Core Schema Instan... 9.1 XSD Schema XML Signature Core Schema Instance xmldsig... 9.2 RNG Schema This section is non-normative. Non-normative... 10. Definitions Authentication Code (Protected Checksum) A... Authentication Code Protected Checksum Authentication, Message Authentication, Signer Checksum Core Data Object Integrity Object Resource Signature Signature, Application Signature, Detached Signature, Enveloping Signature, Enveloped Transform Validation, Core Validation, Reference Validation, Signature Validation, Trust/Application A. References Dated references below are to the latest know... A.1 Normative references [ECC-ALGS] D. McGrew, K. Igoe, M.... [ECC-ALGS] [FIPS-180-3] [FIPS-186-3] [HMAC] [HTTP11] [LDAP-DN] [NFC] [OCSP] [PGP] [PKCS1] [RFC2045] [RFC2119] [RFC3279] [RFC3406] [RFC4051] [RFC4055] [RFC5280] [RFC5480] [SP800-57] [URI] [URN] [URN-OID] [UTF-8] [X509V3] [XML-C14N] [XML-C14N11] [XML-EXC-C14N] [XML-MEDIA-TYPES] [XML-NAMES] [XML10] [XMLDSIG-XPATH-FILTER2] [XMLENC-CORE1] [XMLSCHEMA-1] [XMLSCHEMA-2] [XPATH] [XPTR-ELEMENT] [XPTR-FRAMEWORK] [XSL10] [XSLT] A.2 Informative references [ABA-DSIG-GUIDELINES] Digital S... [ABA-DSIG-GUIDELINES] [CVE-2009-0217] [DOM-LEVEL-1] [IEEE1363] [RANDOM] [RDF-PRIMER] [RELAXNG-SCHEMA] [RFC4050] [RFC4949] [SAX] [SHA-1-Analysis] [SHA-1-Collisions] [SOAP12-PART1] [UTF-16] [XHTML10] [XML-Japanese] [XMLDSIG-BESTPRACTICES] [XMLDSIG-CORE] [XMLDSIG-REQUIREMENTS] [XMLSEC-RELAXNG] [XMLSEC11-REQS] [XPTR-XMLNS] [XPTR-XPOINTER] [XPTR-XPOINTER-CR2001]
or

Refinement of the section concerned:

Status:

open proposal pending resolved_yes resolved_no resolved_partial other assigned to Nobody

Type: substantive editorial typo question general comment undefined

Resolution status:

Response drafted Resolution implemented Reply sent to commenter

Response status:

No response from Commenter yet Commenter approved disposition Commenter objected to disposition
Commenter's response (URI):

Comment:

Section 4.5, paragraph 2:

"If KeyInfo is omitted, the recipient is expected to be able to identify the key
based on application context. Multiple declarations within KeyInfo refer to the
same key. While applications may define and use any mechanism they choose
through inclusion of elements from a different namespace, compliant versions
must implement KeyValue (section 4.5.2 The KeyValue Element) and should
implement RetrievalMethod (section 4.5.3 The RetrievalMethod Element)."

These requirements seem like they should be revisited, especially since a later
section says to avoid RetrievalMethod because of potential security concerns
(see Note in section 4.5.10). Also, does this imply that all KeyValues must be
supported? I would think it should only be supported if there is a required
signature algorithm for the corresponding key type. Had there ever been any
discussion about updating the list of required KeyInfo types?

Thanks,
Sean

Related issues: (space separated ids)

WG Notes: Discussion: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0064.html

Resolution: 1. Added text to 1st paragraph on KeyInfo section to state the following: [[ Details of the structure and usage of element children of KeyInfo other than simple types described in this specification are out of scope. For example, the definition of PKI certificate contents, certificate ordering, certificate revocation and CRL management are out of scope. ]] http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.html#sec-KeyInfo Added this text to both XML Signature 1.1 and XML Signature 2.0 2. Added the following note to the section on RetrievalMethod in 1.1 before the schema definition (4.5.3): [[ Note: The KeyInfoReference element is preferred over use of RetrievalMethod as it avoids use of Transform child elements that introduce security risk and implementation challenges ]] http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.html#sec-RetrievalMethod This and the earlier change to make KeyInfoReference a SHOULD instead of RetrievalMethod (made to both 1.1 and 2.0) should complete the changes to address LC-2506 [[ While applications may define and use any mechanism they choose through inclusion of elements from a different namespace, compliant versions must implement KeyValue (section 4.5.2 The KeyValue Element) and should implement KeyInfoReference (section 4.5.10 The KeyInfoReference Element). KeyInfoReference is preferred over use of RetrievalMethod as it avoids use of Transform child elements that introduce security risk and implementation challenges. Support for other children of KeyInfo is optional. ]] http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.html#sec-KeyInfo

(Please make sure the resolution is adapted for public consumption)