• CharterDevelopmentForSignatureEncryption

XML Security Specifications Maintenance WG:

Charter Development

%% Back to XMLSec wiki %%

---

The charter lists a deliverable of a draft charter for subsequent work on XML Signature and XML Encryption. This wiki page is intended for the WG to document considerations on an iterative and ongoing basis. This wiki does not record decisions agreed by the WG but rather serves as a whiteboard to collect inputs.

The WG will determine the process of creating a draft charter as part of its work.

• Change required signature from DSA to RSA? - FrederickHirsch 07-04-26

• Do XPath nodesets add unnecessary complexity? - FrederickHirsch 07-04-30

A page for discussing potential enhancements to XML-DSig 1.0 based on user experience or other standards / technology evolution

List of enhancements

Relevant mailing Lists:

(just a place holder for the moment)

http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/

http://lists.w3.org/Archives/Public/www-xml-canonicalization-comments/

* [C14N/1.1]

• http://www.w3.org/2006/04/c14n-note/

  After issuing C14n 1.1 there is a need to update Exclusive XML Canonicalization http://www.w3.org/TR/xml-exc-c14n/ - Relation of C14n 1.1 to XML 1.1

  • http://lists.w3.org/Archives/Public/public-xml-core-wg/2007Feb/0018.html

    http://lists.w3.org/Archives/Public/public-xml-core-wg/2007Feb/0008.html

    http://lists.w3.org/Archives/Public/public-xml-core-wg/2007Mar/0002.html Quote: Paul asks why we are trying to define the relationship of C14N 1.1 with XML 1.1 when C14N 1.0 doesn't have a relationship with XML 1.1, and all we were trying to do is fix the problem with xml:id. The WG isn't eager to try to solve these other issues in C14N 1.1.

    http://lists.w3.org/Archives/Public/public-xml-core-wg/2007Apr/0003.html

  - http://lists.w3.org/Archives/Public/public-xml-core-wg/2006Dec/0043.html

* [XPath Filter 2.0]

* [Default algorithms]

* [Supported cryptographic algorithms]

• - RFC 4051

  - FIPS186-3 DSA with stronger Hash Functions (2006/10 still a Draft)

  - RSA-PSS (added in version 2.1 of PKCS #1)

* [XMLDSig Issues] - derferencing relative URI-References (fragment only/ URI="#fragement") of XML Signature <ds:Reference>s in combination with <code>xml:base</code>.

It is not clear whether such a reference is to be dereferenced according to [href="http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel XML Signature Reference Processing Model] as node-set-data or octet stream.

XML Signature XMLDSIG is quiet about xml:base.

* [Perfomance issues and solutions]

• - streaming processing

* [Robustness of XML digital Signatures]

• - indention - ignoreable whitespace (empty text nodes)

  • --> SignedInfo whitespace normalizations (indentions)

  - schema datatype normalization

  - define new URIs for a parsing Transform (E.g http://www.w3.org/2000/09/xmldsig#Parse)

From F2F

• xml base and xml:id support with xml sig
• (reference processing)
• C14N support for xml 1.1?
• XPath data model adjustments
• Infoset data model
• XPath 2.0
• -- this material should go on the wiki
• transform chaining referening original document, modification of original data
• e.g. pass by value, not reference
• canonicalization that throws out more "ruthless canonicalization"
• additional algorithms (eg SHA-256)
• performance bottlenecks
• simplicity
• issues related to protocol use
• relationship with binary xml, combinations etc
• (efficient xml)
• discussion with efficient xml interchange group possibililty
• implicit parsing that is not schema aware (in transform chain)
• workshop item - what is canonicalization in sig context

Minimalist Profile (OASIS WSS) http://www.oasis-open.org/apps/org/workgroup/wss/download.php/1720/WSS-MinimalistProfile-20030307.pdf

overhead of multiple ds:References or process at one time. Might need benchmarking.

DigestValue

It has been suggested (see the W3C Decryption Transform specification) that digest values should be encrypted if there is concern that their value gave away info about the associated Reference. Either the suggestion should be removed or <EncryptedData> be allowed as a child for <DigestValue>.

XQuery

This is a placeholder for discussion about updating the XML Signature specification to support XQuery as a RECOMMENDED or OPTIONAL transform.

XPath 2.0

This is a placeholder for discussion about updating the XML Signature specification to support XPath 2.0 with an explicit transform identifier as XML Signature currently does for XPath 1.0

XSLT 2.0

This is a placeholder for discussion about updating the XML Signature specification to support XSLT 2.0 with an explicit transform identifier as XML Signature currently does for XSLT 1.0