XMLDSIG Open Syntax Questions
Donald E. Eastlake 3rd
<dee3@us.ibm.com>
8 November 1999, 46th IETF Meeting
Open Syntax Questions
- Canonicalization - deferred until tomorrow
- Put more dynamic fields first
- No nonce
- Algorithm Parameters
- Unsigned Location/Transforms
- Reliance on xpath/xptr/xslt
Put Dynamic Fields First
- Makes preloading hash less useful
- In SignedInfo
- First: ObjectReference
- Later: SignatureMethod, CanonicalizationMethod
- In ObjectReference
- First: DigestValue
- Later: Location, Transforms, DigestMethod
No Nonce
- All signature algorithms listed in draft do not need a nonce to protect against attacks
- Other signature algorithms can be modified, if necessary, to not need a nonce.
Algorithm Parameters
Decisions Needed
- Optimize one parameter algorithm?
- Type attribute versus Namespace?
- Generic element name versus Integer / Real / Boolean / String / Binary ?
Unsigned Location/Transforms
- Desire to have data that can move around
- Nested Manifests
- Allow Location outside of SignedInfo
- clever URIs for Location
- iotp:transaction-id#idref
- http://example.com/cgi/finder?doc-1234
- Allow Transforms of SignedInfo to remove Location
- Different locations need different transforms
- Same issues, nested Manifests, move Transforms, clever Transforms, Transform Transform
Nested Manifests
- SignedInfo ObjectReference points to a Manifest which points to a Manifest.
- Depends on application verification behavior.
- Bulky/Kludgy.
Locations Outside of SignedInfo
- Need to also move Transforms out
- Need to link to DigestMethod / DigestValue inside Signed info if multiple
ObjectReferences allowed, adding an IDREF and ID.
Clever URIs for Locations
- Not very elegant.
- Implies clever Transforms which is even hairier.
Allow Transform of SignedInfo
- Can simply drop out Locations and/or Transforms.
- Can be dangerous but not much worse than other uses of Transforms.
- <SignedInfo> (ObjectReference)+ CanonicalizationMethod? SignatureMethod
(Transforms)? </SignedInfo>
Reliance on xpath/xptr/xslt
- XPath is a subset of both XPointer and XSLT and provides useful filtering functionality.
- Only XSLT is defined to have a mode where it produces XML. Others need additional
specification beyond the standard, which is present in XMLDSIG documentation.