Either DSig 1.1 or DSig 1.1/1.0

MURATA Makoto eb2m-mrt at asahi-net.or.jp
Sun Oct 23 14:08:54 CEST 2016


We have to decide what OPC V2 should reference
as the definition of XML digital signatures.  (1) DSig 1.1,
or (2) DSig 1.0 (second edition) as well as DSig 1.1?

1. Data conformance

I believe that signatures conformant to DSig 1.0 are
guranteed to conform to DSig 1.1.  If this is the
case, (1) is good enough.

But (2) is not harmful.  A digital signature is
required to conform to either DSig 1.0 or DSig 1.1.

2. Conformance of signature generators

Since generators are not required to use every
feature of XML DSig, generators restricted to DSig
1.0 conform to DSig 1.1.  Thus, I believe that (1) is
good enough.

But if we choose (2), what should be the requirements
on generators?

Status quo is shown below:

    > 13.4 Generating Signatures
    >
    > The steps for signing package contents follow
    > the algorithm outlined in §3.1 of the W3C
    > Recommendation “XMLSignature Syntax and
    > Processing,” with some modification for
    > package-specific constructs...

Here is a rewrite based on (2).

    > 13.4 Generating Signatures
    >
    > The steps for signing package contents follow
    > the algorithm outlined in §3.1 of the W3C
    > Recommendation “XMLSignature Syntax and
    > Processing 1.0 (second edition)”or “XML Signature
    > Syntax and Processing Version 1.1,” with some modification for
    > package-specific constructs...

I do not see any advantages, but I do not see any
disadvantages either.

3. Conformance of signature validators

One could argue that (2) provides some advantages,
since some new algorithms in DSig 1.1 are made
mandatory.  We might want to allow legacy validators
restricted to 1.0 while encouraging validators to support
1.1.

Status quo is shown below:

    > 13.5 Validating Signatures
    >
    > Consumers validate signatures following the
    > steps described in §3.2 of the W3C
    > Recommendation “XMLSignature Syntax and
    > Processing.”...

Here is a rewrite based on (2).

    > 13.5 Validating Signatures
    >
    > Consumers are required to validate signatures
    > following the steps described in §3.2 of
    > either “XMLSignature Syntax and Processing 1.0
    > (second edition)”or “XML Signature Syntax and
    > Processing Version 1.1”.  Consumers should support
    > “XML Signature Syntax and Processing Version 1.1”
    > but may support “XMLSignature Syntax and Processing 1.0
    > (second edition)”.

This paragraph allows validators not to support new elements and
algorithms of DSig 1.1.  I do not know whether MS Office supports
them or not.



Regards,
Makoto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.vse.cz/pipermail/sc34wg4/attachments/20161023/5dd9e9cc/attachment.html>


More information about the sc34wg4 mailing list