XML-Dsig

From W3C Wiki


Links: http://www.w3.org/2005/Security/xmlsig-charter

A page for discussing potential enhancements to XML-DSig 1.0 based on user experience or other standards / technology evolution

List of enhancements

Relevant mailing Lists:

(just a place holder for the moment)

http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/

http://lists.w3.org/Archives/Public/www-xml-canonicalization-comments/

  • [C14N/1.1]
 http://www.w3.org/2006/04/c14n-note/
 After issuing C14n 1.1 there is a need to update Exclusive XML Canonicalization http://www.w3.org/TR/xml-exc-c14n/
 - Relation of C14n 1.1 to XML 1.1
    http://lists.w3.org/Archives/Public/public-xml-core-wg/2007Feb/0018.html
    http://lists.w3.org/Archives/Public/public-xml-core-wg/2007Feb/0008.html
    http://lists.w3.org/Archives/Public/public-xml-core-wg/2007Mar/0002.html
    Quote:
    Paul asks why we are trying to define the relationship
    of C14N 1.1 with XML 1.1 when C14N 1.0 doesn't have a
    relationship with XML 1.1, and all we were trying to do
    is fix the problem with xml:id.  The WG isn't eager to 
    try to solve these other issues in C14N 1.1.
    http://lists.w3.org/Archives/Public/public-xml-core-wg/2007Apr/0003.html
 - http://lists.w3.org/Archives/Public/public-xml-core-wg/2006Dec/0043.html
  • [XPath Filter 2.0]
  • [Default algorithms]
  • [Supported cryptographic algorithms]
   - RFC 4051
   - FIPS186-3 DSA with stronger Hash Functions (2006/10 still a Draft)
   - RSA-PSS (added in version 2.1 of PKCS #1)
  • [Backwards compatiblity between c14n/1.1 and c14n/1.0]
  - xml:id processing:  xml:id [<a href="#XMLID">XMLID</a>] is an ID attribute in an XML

document. Copying an ID attribute from one element to another one is always wrong behavior. Applications that encounter xml:id attributes that would need to be copied around by a conforming implementation of Canonical XML 1.0 hence experience an error condition. Problem could be caught by implementations of XML Signature that are xml:id aware always doing duplicate ID checking.

  • [XMLDSig Issues]

A related problem appears when derferencing the fragment-only URI-Reference (URI="#some-fragment") of XML Signature [<a href="#XMLDSIG">XMLDSIG</a>] <ds:Reference>s in combination with xml:base. In particual It is not clear whether such a reference is to be dereferenced according to <a href="http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel"> XML Signature Reference Processing Model</a> as node-set-data or octet stream. This is unclear because XML Signature [<a href="#XMLDSIG">XMLDSIG</a>] is quiet about (xml:base).

  • [Perfomance issues and solutions]
   - streaming processing
  • [Robustness of XML digital Signatures]
   - indention
   - ignoreable whitespace (empty text nodes)
   - schema datatype normalization
   - define new URIs for a parsing Transform (E.g http://www.w3.org/2000/09/xmldsig#Parse)

List of pages in this category:



http://esw.w3.org/topic/Security?highlight=%28Security%29