To:
"Newton, Andrew" <anewton@verisign.com>
Cc:
ietf-provreg@cafax.se
From:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Date:
Thu, 18 Apr 2002 12:06:17 -0400
Sender:
owner-ietf-provreg@cafax.se
Subject:
RE: XML Digital Signatures for EPP.
Andy,
I don't think canonicalization (c14n) is really an issue since it's a just a
process that describes how to produce a consistent representation of a
well-formed instance. Looking at the spec [1] right now I don't see any
real issues.
On the other hand, you're probably right about trying to provide integrity,
authentication, and non-repudiation services at some other layer. The XML
DSIG specs allow multiple transforms (such as c14n and perhaps compression)
to be applied prior to signing, but XML signatures add a lot of "wrapper"
that add to bandwidth and processing horsepower requirements.
Just for yuks I worked up an example [2] of a host <create> command
contained with an XML signature wrapper. Don't try to validate this
signature since all I did was steal data to make the XML parser happy, but
it's illustrative of the overhead required.
-Scott-
[1]
http://www.w3.org/TR/xml-c14n
[2]
(long lines are going to get wrapped; sorry)
<?xml version='1.0'?>
<Signature Id="EPPSig" xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#
xmldsig-core-schema.xsd">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000710">
</CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa">
</SignatureMethod>
<Reference URI="http://www.w3.org/TR/REC-xml-names/">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#base64"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
</DigestMethod>
<DigestValue>UrXLDLBIta6skoV5/A8Q38GEw44=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>MC0CFFrVLtRlkMc3Daon4BqqnkhCOlEaAhUAk8pH1iRNK+q1I+sisDTz2TFE
ALE=</SignatureValue>
<KeyInfo>
<KeyValue>
<DSAKeyValue>
<P>2iY3w062sDB3/DIlLWOeG9+4UpmDZ0dyqRk9dLlNQ6qaXI7tOrjdIhm6n/eOw45AQtuYSp6sp
Ct9cQcNBAj22KvygvfJIIXX9sSQrugfGqifeSvY3VX5Sd1j+z0MSZ/n5jNt88uh2C11SAqX6nrXT
Y/1RwkoWRN23SYhOlaG0hU=</P>
<Q>9B5ypLY9pMOmtxCeTDHgwdNFeGs=</Q>
<G>MuGAlqeB1ax+vyO2+Osubjhl7pHxLu47RIH+/M52DjESA9KMSrwzsYx8yNR2WooByrE0t6fu0
VncK7UK8olO4t7wpv2z4AFQPRVCKFwo0qgn5aKIkICGMlrRy81avb27wGcWothx3iPPMtFXtoDqK
0JItaI9R8zc1msFhM1GKMY=</G>
<Y>ctA8YGxrtngg/zKVvqEOefnwmViFztcnPBYPlJsvh6yKI4iDm68fnp4Mi3RrJ6bZAygFrUIQL
xLjV+OJtgJAEto0xAs+Mehuq1DkSFEpP3oDzCTOsrOiS1DwQe4oIb7zVk/9l7aPtJMHW0LVlMdwZ
NFNNJoqMcT2ZfCPrfvYvQ0=</Y>
</DSAKeyValue>
</KeyValue>
</KeyInfo>
<Object>
<SignatureProperties>
<SignatureProperty Target="#EPPSig">
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0
epp-1.0.xsd">
<command>
<create>
<host:create
xmlns:host="urn:ietf:params:xml:ns:host-1.0"
xsi:schemaLocation="urn:ietf:params:xml:ns:host-1.0
host-1.0.xsd">
<host:name>ns1.example.tld</host:name>
<host:addr ip="v4">192.1.2.3</host:addr>
<host:addr ip="v4">198.1.2.3</host:addr>
<host:addr
ip="v6">1080:0:0:0:8:800:200C:417A</host:addr>
</host:create>
</create>
<clTRID>ABC-12345</clTRID>
</command>
</epp>
</SignatureProperty>
</SignatureProperties>
</Object>
</Signature>
> -----Original Message-----
> From: Andrew Newton [mailto:anewton@verisign.com]
> Sent: Thursday, April 18, 2002 11:37 AM
> To: Hollenbeck, Scott
> Cc: 'Roger Castillo Cortazar'; ietf-provreg@cafax.se
> Subject: RE: XML Digital Signatures for EPP.
>
>
> It has been a bit since I looked at this stuff, so forgive if
> I get any
> of it wrong. But it is my understanding that XML D-Sig uses XML
> Canonicalization which is DTD based. This may pose a problem with EPP
> since its schema language is XML Schema.
>
> I think doing this at the application transport level is a
> better idea.
> You also get the advantage of being able to run compression
> against the
> XML instance before encryption.
>
> -andy
>