DR 11-0029: Q1

MURATA Makoto eb2m-mrt at asahi-net.or.jp
Sun May 1 03:41:33 CEST 2016 

I am going to post some e-mails for addressing this DR.

Q1: Which element of XML DSig 1.0 is allowed in OPC?

First, the elements of XML DSig 1.0 can be classified into
three groups.

Group A: Mentioned normatively in "12.4 Digital Signature
Markup"

OPC has some subclauses dedicated to XML DSig 1.0 elements.
For example, "12.4.8 Transforms Element" and "12.4.19
DigestMethod Element" are dedicated to the Transforms element
and the DigestMethod element of DSig 1.0, respectively.

Group B: Mentioned in other subclauses such as "12.6 Digital
Signature Exmaple"

Some DSig 1.0 elements (e.g., the DigestValue element) are
not defined by subclasues of "12.4 Digital Signature Markup",
but are mentioned in other subclauses such as "12.6 Digital
Signature Exmaple".

Group C: Not mentioned anywhere

Some DSig 1.0 elements are not mentioned anywhere in OPC.

Obviously, elements in Group A are allowed in OPC, and should
continue to be allowed.  But I do not think that we need a
subclause for each of them.

I believe that elements in Group B should also be allowed.
But I do not think that we have to introduce a subclause for
each of them.

It is not clear what we should do about elements in Group C.

For example, he KeyValue element of DSig 1.0 is not mentioned
in OPC.  DSig 1.0 allows this element as a child of the
KeyInfo element, and ISO/IEC 29500-2 simply relies on DSig
1.0.  See "12.4.12 KeyInfo Element" (shown below) in the
latest draft.

          The structure of a KeyInfo element is defined in
 §4.4 of XML-Signature Syntax and Processing.

          The certificate embedded in the Digital Signature
          XML Signature part shall be used when it is
          specified. [M6.21]

Does this prose imply that the KeyValue element is allowed in
OPC?

But the original Ecma 376 looks more restrictive than DSig
1.0.  The diagram in 12.2.4.15 appears to allow X509Data as
children of the KeyInfo element, and allow nothing else.
There is no prose about this possible restriction, though.


Since DSig is intended to address many use cases, it is not
unreasonable for OPC to impose restrictions on the use
of DSig.  But we have to know the restrictions first.

Here is my classification of the elements defined in XML DSig 1.0.

Group A

CanonicalizationMethod
DigestMethod
KeyInfo
Manifest
Object
Reference
Signature
SignatureMethod
SignatureProperty
SignedInfo
Transform
Transforms

Group B


DigestValue
SignatureProperties
SignatureValue
X509Certificate
X509Data

Gropu C

DSAKeyValue
Exponent
G
HMACOutputLength
J
KeyName
KeyValue
MgmtData
Modulus
P
PGPData
PGPKeyID
PGPKeyPacket
PGPKeyPacket
PgenCounter
Q
RSAKeyValue
RetrievalMethod
SPKIData
SPKISexp
Seed
X509CRL
X509IssuerName
X509IssuerSerial
X509SKI
X509SerialNumber
X509SubjectName
XPath
Y


-- 

Praying for the victims of the Japan Kyuushuu earthquake

Makoto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.vse.cz/pipermail/sc34wg4/attachments/20160501/f3edef34/attachment.html>

More information about the sc34wg4 mailing list