Author: Joseph Reagle
Audience: XML'99
Question: What does XML Signature look like, what are the issues?
References:
Joseph M. Reagle Jr.
<reagle@w3.org>
IETF/W3C XML Signatures Co-Chair
W3C/LCS/MIT
This presentation is merely one WG member's view/interpretation of the work with a bias of my expectation/hope for future direction.
<Signature> SignedInfo
is the content that is signed.ObjectReference
s identify the resources that the have content being signed
(via a DigestValue
)KeyInfo
and Object
s may be included within the Signature
element.Must be clear by what we mean when a signature is "valid"
SignatureValue
matches the result of processing SignedInfo
with CanonicalizationMethod
and SignatureMethod
as
specified in §6.2? (Did SignedInfo or key change?)DigetsValue
in SignedInfo
?
(Did the content referenced from SignedInfo change.)<Signature ID="5"
xmlns="http://www.w3.org/1999/10/signature-core">
<SignedInfo> ; scope of sig processing
<CanonicalizationMethod ; for SignedInfo
Algorithm="http://www.w3.org/1999/xmldsig-core/c14n"/>
<SignatureMethod Algorithm="dsig:dsaWithSHA-1"/>
<ObjectReference URI="www.mypage.com" ;
points to resource
<DigestMethod Algorithm="http://...sha1"/>
<DigestValue>a53uud43</DigestValue>
</ObjectReference>
<ObjectReference IDREF="#timestamp" ;
points to resource
Type="http://www.w3.org/1999/sig1/signatureattributes">
<Transforms> ; source tree to output octect
<Tranform
name="http://www.w3.org/1999/xmldsig-core/c14n"/>
</Transforms>
<DigestMethod Algorithm="http://...sha1"/>
<DigestValue>a53uud43</DigestValue>
</ObjectReference>
</SignedInfo>
<Object ID="timestamp">
<timestamp about="#5"
xmlns="http://www.ietf.org/rfc/1234">
<date>19990908</date>
<time>14:34:34:34</time>
</timestamp>
</Object>
<SignatureValue
encoding="urn:ietf-org:base64">dd2323dd</SignatureValue>
<KeyInfo> ; not necessarily signed!
<keyname>Solo</keyname>
</KeyInfo>
</Signature>
<SignedInfo> ; scope of sig
processing
<CanonicalizationMethod ; for SignedInfo
Algorithm="http://www.w3.org/.../xml-c14n"/>
<SignatureMethod Algorithm="dsig:dsaWithSHA-1"/>
<ObjectReference URI="http://www.myhome.com" ; points
to object
...
</ObjectReference>
<ObjectReference IDREF="#timestamp" ; points to object
...
</ObjectReference>
</SignedInfo>
SignedInfo
does not necessarily include KeyInfo
nor an
explicit SignatureAttributes
element. Instead, use an additional ObjectReference
to an Object
that includes these semantics. SignedInfo
. Presently, no
mandatory to use, perhaps a simple mandatory to implement. <ObjectReference IDREF="#timestamp" ;
points to object
Type="http://www.w3.org/1999/xmldsig-core/SignatureAttributes">
<Transforms> ; source tree to output octect
<Transform Algorithm="http://w3.org/1999/XPath"/>
<Transform
Algorithm="http://w3.org/1999/xmldsig-core/c14n"/>
</Transforms>
<DigestMethod Algorithm="http://w3.org/1999/xmldsig-core/sha1"/>
<DigestValue>a53uud43</DigestValue>
</ObjectReference>
Transforms
to the specified resource based on each ObjectReference
(s)
in the SignedInfo
element. DigestValue
in SignedInfo
for each
reference (if any mismatch, validation fails). SignedInfo
element based on the CanonicalizationMethod
,
if any, in SignedInfo
.KeyInfo
or externally.SignatureValue
based on the SignatureMethod
in
the SignedInfo