CR-xmlenc-decrypt-20020304
31.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Decryption Transform for XML Signature</title>
<style type="text/css">
<!--
/*<![CDATA[*/
u,ins { background: white; color: red;}
del,strike,.strike { background: white; color: silver; text-decoration: line-through;}
code {font-weight: normal; }
.link-def { background: #FFFFFF; color: teal; font-style: italic;}
.comment { background: #FFFFF5; color: black; padding: .7em; border:
navy thin solid;}
.discuss { color: blue; background: yellow; }
.xml-example,.xml-dtd { margin-left: -1em; padding: .5em; border: none;}
.xml-dtd { background: #efeff8; color: black;}
/*]]>*/
-->
</style>
<link rel="stylesheet" type="text/css"
href="http://www.w3.org/StyleSheets/TR/W3C-CR.css" />
</head>
<body xml:lang="en" lang="en">
<div class="head">
<p><a href="http://www.w3.org/"><img height="48" width="72" alt="W3C"
src="http://www.w3.org/Icons/w3c_home" /></a></p>
<h1 class="notoc">Decryption Transform for XML Signature</h1>
<h2 class="notoc">W3C Candidate Recommendation 04 March 2002</h2>
<dl>
<dt>This version:</dt>
<dd><a
href="http://www.w3.org/TR/2002/CR-xmlenc-decrypt-20020304">http://www.w3.org/TR/2002/CR-xmlenc-decrypt-20020304</a></dd>
<dt>Latest version:</dt>
<dd><a
href="http://www.w3.org/TR/xmlenc-decrypt">http://www.w3.org/TR/xmlenc-decrypt</a></dd>
<dt>Previous version:</dt>
<dd><a
href="http://www.w3.org/TR/2001/WD-xmlenc-decrypt-20011018">http://www.w3.org/TR/2001/WD-xmlenc-decrypt-20011018</a></dd>
<dt>Editors</dt>
<dd>Takeshi Imamura <<a
href="mailto:imamu@jp.ibm.com">imamu@jp.ibm.com</a>></dd>
<dd>Hiroshi Maruyama <<a
href="mailto:maruyama@jp.ibm.com">maruyama@jp.ibm.com</a>></dd>
<dt>Contributors</dt>
<dd>See <a href="#references">References</a>.</dd>
</dl>
<p class="copyright"><a
href="http://www.w3.org/Consortium/Legal/ipr-notice-20000612#Copyright">Copyright</a>
© 2002 <a href="http://www.w3.org/"><abbr
title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup> (<a
href="http://www.lcs.mit.edu/"><abbr
title="Massachusetts Institute of Technology">MIT</abbr></a>, <a
href="http://www.inria.fr/"><abbr xml:lang="fr" lang="fr"
title="Institut National de Recherche en Informatique et Automatique">INRIA</abbr></a>,
<a href="http://www.keio.ac.jp/">Keio</a>), All Rights Reserved. W3C <a
href="http://www.w3.org/Consortium/Legal/ipr-notice-20000612#Legal_Disclaimer">liability</a>,
<a
href="http://www.w3.org/Consortium/Legal/ipr-notice-20000612#W3C_Trademarks">trademark</a>,
<a
href="http://www.w3.org/Consortium/Legal/copyright-documents-19990405">document
use</a> and <a
href="http://www.w3.org/Consortium/Legal/copyright-software-19980720">software
licensing</a> rules apply.</p>
<hr title="Separator from Header" />
</div>
<h2>Abstract</h2>
<p>This document specifies an XML Signature "decryption transform" that
enables XML Signature applications to distinguish between those XML
Encryption structures that were encrypted before signing (and must not be
decrypted) and those that were encrypted after signing (and must be
decrypted) for the signature to validate.</p>
<h2 class="notoc">Status of this document</h2>
<div class="">
<p>This specification from the <a
href="http://www.w3.org/Encryption/2001/Overview.html">XML Encryption Working
Group</a> (<a
href="http://www.w3.org/Encryption/2001/Activity.html">Activity</a>) is a <a
class="loc"
href="http://www.w3.org/Consortium/Process/Process-19991111/process.html#RecsCR">Candidate
Recommendation</a> of the W3C. None of the <a
href="http://www.w3.org/Encryption/2001/11/last-call-issues.html">last call
issues</a> on the XML Encryption specifications concerned this specification.
Furthermore, the WG considers this specification to be stable and invites
implementation feedback during this period.</p>
<p>The exit criteria for this phase is at least two interoperable
implementations of this transform with acceptable performance. The
interoperability of this specification will be demonstrated as <a
href="http://www.w3.org/Encryption/2002/02-xenc-interop.html#decryption-transform">an
algorithm</a> in the XML Encryption Syntax and Processing <a
href="http://www.w3.org/Encryption/2002/02-xenc-interop.html">Interoperability
Report</a>. We expect to meet all requirements of that report within the two
month Candidate Recommendation period (closing April 25). Specific areas
where we would appreciate further experience are:</p>
<ul>
<li>Do implementations achieve satisfactory performance?</li>
<li>Does the specification satisfy application scenario requirements for
encrypting and signing portions of XML?</li>
</ul>
<p>Publication of this document does not imply endorsement by the W3C
membership. This is a draft document and may be updated, replaced or
obsoleted by other documents at any time. It is inappropriate to cite a W3C
Working Draft as anything other than a "work in progress." A list of current
W3C working drafts can be found at <a
href="http://www.w3.org/TR/">http://www.w3.org/TR/</a>.</p>
<p>Please send comments to the editors (<<a
href="mailto:imamu@jp.ibm.com">imamu@jp.ibm.com</a>>, <<a
href="mailto:maruyama@jp.ibm.com">maruyama@jp.ibm.com</a>>) and cc: the
list <a href="mailto:xml-encryption@w3.org">xml-encryption@w3.org</a>
(publicly <a
href="http://lists.w3.org/Archives/Public/xml-encryption/">archived</a>).</p>
<p>Patent disclosures relevant to this specification may be found on the
Working Group's <a
href="http://www.w3.org/Encryption/2001/Disclosures">patent disclosure
page</a> in conformance with W3C policy.</p>
<h2>Table of Contents</h2>
</div>
<ol>
<li><a href="#introduction">Introduction</a>
<ol>
<li><a href="#purpose">Purpose</a></li>
<li><a href="#conventions">Editorial Conventions</a></li>
</ol>
</li>
<li><a href="#transform">Decryption Transform</a>
<ol>
<li><a href="#processing">Processing Rules</a></li>
<li style="list-style: none"><ol>
<li><a href="#functions">Functions</a></li>
<li><a href="#restrictions">Restrictions and Limitations</a></li>
</ol>
</li>
</ol>
</li>
<li><a href="#creation">Transform Creation (Non-Normative)</a></li>
<li><a href="#example">Example</a></li>
<li><a href="#security">Security Considerations</a>
<ol>
<li><a href="#security-reveal">Signatures Over Encrypted Data May
Reveal Information</a></li>
<li><a href="#sign-what-you-see">"Sign What You See"</a></li>
</ol>
</li>
<li><a href="#references">References</a></li>
</ol>
<hr />
<h2><a id="introduction" name="introduction">1 Introduction</a></h2>
<h3><a id="purpose" name="purpose">1.1 Purpose</a></h3>
<p>It has been noted by David Solo in [<a href="#Solo">Solo</a>] that both
signature [<a href="#XML-Signature">XML-Signature</a>] and encryption [<a
href="#XML-Encryption">XML-Encryption</a>] operations may be performed on an
XML document at any time and in any order, especially in scenarios such as
workflow. For example, Alice wishes to order and pay for a book from Bob
using the mutually trusted payment system ZipPay. Bob creates an order form
including the book title, price and his account info. He wants to sign all of
this information, but will subsequently encrypt his account info for ZipPay
only. He sends this to Alice who affirms the book title and price, signs the
form and presents the twice-signed order with her own payment information to
ZipPay. To validate both signatures ZipPay will have to know that the cipher
data version of the encrypted information is necessary for validating Alice's
signature, but the plain data form is necessary for validating Bob's
signature. (See <em><a href="#sign-what-you-see">"Sign What You See"</a></em>
(section 5.2) for more on signing encrypted data.)</p>
<p>Since encryption operations applied to part of the signed content after a
signature operation cause a signature not to be verifiable, it is necessary
to decrypt the portions encrypted after signing before the signature is
verified. The "decryption transform" proposed in this document provides a
mechanism; decrypting only signed-then-encrypted portions (and ignoring
encrypted-then-signed ones). A signer can insert this transform in a
transform sequence (e.g., before Canonical XML [<a
href="#XML-C14N">XML-C14N</a>] or XPath [<a href="#XPath">XPath</a>]) if
there is a possibility that someone will encrypt portions of the
signature.</p>
<p>The transform defined in this document is intended to propose a resolution
to the decryption/verification ordering issue within signed resources. It is
out of scope of this document to deal with the cases where the ordering can
be derived from the context. For example, when a <code>ds:DigestValue</code>
element or a (part of) <code>ds:SignedInfo</code> element is encrypted, the
ordering is obvious (without decryption, signature verification is not
possible) and there is no need to introduce a new transform.</p>
<h3><a id="conventions" name="conventions">1.2 Editorial Conventions</a></h3>
<p>The key words "MUST", "MUST NOT", "REQUIRED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC 2119 [<a
href="#Keywords">Keywords</a>].</p>
<p>This document makes use of the XML Encryption [<a
href="#XML-Encryption">XML-Encryption</a>] and XML Signature [<a
href="#XML-Signature">XML-Signature</a>] namespaces, and defines it own, with
the following prefixes:</p>
<pre>xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:dcrpt="http://www.w3.org/2001/04/decrypt#"
</pre>
<p>While applications MUST support XML and XML namespaces, the use of our
"<code>enc</code>", "<code>ds</code>", and "<code>dcrpt</code>" XML namespace
prefixes is OPTIONAL; we use this facility to provide compact and readable
exposition.</p>
<h2><a id="transform" name="transform">2 Decryption Transform</a></h2>
<dl>
<dt>Identifier:</dt>
<dd><a
href="http://www.w3.org/2001/04/decrypt#">http://www.w3.org/2001/04/decrypt#</a></dd>
</dl>
<p>This transform requires an XPath node-set [<a href="#XPath">XPath</a>] for
input. If an octet stream is given as input, it must be converted to a
node-set as described in <em><a
href="http://www.w3.org/TR/2001/PR-xmldsig-core-20010820/#sec-ReferenceProcessingModel">The
Reference Processing Model</a></em> (section 4.3.3.2) of the XML Signature
specification [<a href="#XML-Signature">XML-Signature</a>]. The transform
decrypts all the <code>enc:EncryptedData</code> elements [<a
href="#XML-Encryption">XML-Encryption</a>] except for those specified by
<code>dcrpt:Except</code> elements. <code>dcrpt:Except</code> is defined
below via XML Schema [<a href="#XML-Schema">XML-Schema</a>] and appears as
direct child elements of the <code>ds:Transform</code> element.</p>
<p>The REQUIRED <code>URI</code> attribute value of the
<code>dcrpt:Except</code> element MUST be a non-empty same-document URI
reference [<a href="#URI">URI</a>] (i.e., a number sign ('#') character
followed by an XPointer expression (as profiled by [<a
href="#XML-Signature">XML-Signature</a>, <a
href="http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel">Section
4.3.3.2</a>])) and identify an <code>enc:EncryptedData</code> within the
input to this transform.</p>
<pre class="xml-dtd"> Schema Definition:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE schema PUBLIC "-//W3C//DTD XMLSchema 200102//EN"
"http://www.w3.org/2001/XMLSchema.dtd" [
<!ATTLIST schema
xmlns:dt CDATA #FIXED "http://www.w3.org/2001/04/decrypt#">
<!ENTITY % p ''>
<!ENTITY % s ''>
]>
<schema xmlns="http://www.w3.org/2001/XMLSchema" version="0.1"
xmlns:dt="http://www.w3.org/2001/04/decrypt#"
targetNamespace="http://www.w3.org/2001/04/decrypt#"
elementFormDefault="qualified">
<element name="Except" type="dt:ExceptType"/>
<complexType name="ExceptType">
<attribute name="Id" type="ID" use="optional"/>
<attribute name="URI" type="anyURI" use="required"/>
</complexType>
</schema>
</pre>
<h3><a id="processing" name="processing">2.1 Processing Rules</a></h3>
<p>This section describes the processing rules of the transform. The rules
are written as two functions; the inputs and outputs of the transform are the
inputs and outputs of the <a href="#func-decryptIncludedNodes"
class="link-def">decryptIncludedNodes()</a> function, which itself calls <a
href="#func-decrypt" class="link-def">decypt()</a>.</p>
<p>The transform operates over a node-set <em>X</em>, and its <a
name="def-parsing-context" id="def-parsing-context" class="link-def">parsing
context</a> , which consists of the following items:</p>
<ul>
<li>Prefix and namespace name of each namespace that is in scope for the
first element node in <em>X</em>.</li>
<li>Name and value of each general entity that is effective for the XML
document causing <em>X</em>.</li>
</ul>
<h4><a id="functions" name="functions">2.1.1 Functions</a></h4>
<dl>
<dt><a name="func-decryptIncludedNodes" id="func-decryptIncludedNodes"
class="link-def">Z = decryptIncludedNodes(X, R)</a></dt>
</dl>
<p>where <em>X</em> is a node-set and <em>R</em> is a set of
<code>dcrpt:Except</code> elements specified as a parameter of the transform.
<em>Z</em> is a node-set obtained by the following steps:</p>
<ol>
<li>Within <em>X</em>, select <em>e</em>, an element node with the type
<code>enc:EncryptedData</code>, such that is not referenced by any
<code>dcrpt:Except</code> elements in <em>R</em>. If such <em>e</em>
cannot be selected, the algorithm terminates and <em>Z</em>, the result
of the transformation, is <em>X</em>.</li>
<li>Let <em>C</em> be a <a href="#def-parsing-context"
class="link-def">parsing context</a> of <em>X</em>.</li>
<li>Let <em>Y</em> be <a href="#func-decrypt" class="link-def">decrypt(X,
e, C)</a>. If this function succeeds, replace <em>X</em> with <em>Y</em>.
Otherwise, the implementation MAY signal a failure of the transform.
Alternatively, it MAY also continue processing without changing
<em>X</em> (although it should take an appropriate means to avoid an
infinite loop).</li>
<li>Go to Step 1.</li>
</ol>
<dl>
<dt><a name="func-decrypt" id="func-decrypt" class="link-def">Y =
decrypt(X, e, C)</a></dt>
<dd>where <em>X</em> is a node-set, <em>e</em> is an element node with
the type <code>enc:EncryptedData</code> in <em>X</em>, and <em>C</em>
is a <a href="#def-parsing-context" class="link-def">parsing
context</a> of <em>X</em>.</dd>
<dd><em>Y</em> is a node-set obtained by the following steps:
<ol>
<li>Convert <em>X</em> to an octet stream as described in <em><a
href="http://www.w3.org/TR/2001/PR-xmldsig-core-20010820/#sec-ReferenceProcessingModel">The
Reference Processing Model</a></em> (section 4.3.3.2) of the XML
Signature specification [<a
href="#XML-Signature">XML-Signature</a>].</li>
<li>Wrap the resulting octet stream with the octets representation of
dummy tags (i.e., <code><dummy></code> and
<code></dummy></code>) as proposed by Richard Tobin in [<a
href="#Tobin">Tobin</a>], and if needed, prepend the octets
representing an XML declaration and a document type declaration. In
order to parse the octet stream in the context of <em>C</em>, all
the namespace declarations in <em>C</em> MUST be added to the dummy
element. Also all the entity declarations in <em>C</em> MUST be
added to the document type declaration.</li>
<li>Decrypt the element corresponding to <em>e</em> (which may
require parsing) and replace it with the resulting octet stream
according to the XML Encryption specification [<a
href="#XML-Encryption">XML-Encryption</a>].</li>
<li>Parse the decrypted octet stream as described in <em><a
href="http://www.w3.org/TR/2001/PR-xmldsig-core-20010820/#sec-ReferenceProcessingModel">The
Reference Processing Model</a></em> (section 4.3.3.2) of the XML
Signature specification [<a
href="#XML-Signature">XML-Signature</a>], resulting in a
node-set.</li>
<li><em>Y</em> is the node-set obtained by removing the root node,
the dummy element node, and its associated set of attribute and
namespace nodes from the node-set obtained in Step 4.</li>
</ol>
If any of the above steps fails for whatever reasons (e.g., the
decryption key cannot be located, parsing in Step 4 fails, etc.), this
function also fails.
<p>(In <a href="#func-decrypt" class="link-def">decrypt(X, e, C)</a>,
all of the steps except the actual decryption are necessary because
XPath does not permit one to remove and then replace a node.
Consequently, we must serialize (1), wrap (2), reparse (4), and trim
the node set (5).)</p>
</dd>
</dl>
<h4><a id="restrictions" name="restrictions">2.1.2 Restrictions and
Limitations</a></h4>
<p>These restrictions are necessary to ensure that the decrypted octet stream
is parsed correctly in a given <a href="#def-parsing-context"
class="link-def">parsing context</a>.</p>
<ol>
<li>During the above steps, <em>X</em> MUST always be a <a
href="#def-single-rooted" class="link-def">single-rooted</a> node-set. If
<em>X</em> is not single-rooted, this transform MUST fail. A node-set is
said to be <a name="def-single-rooted" id="def-single-rooted"
class="link-def">single-rooted</a> if and only if all of its member nodes
are either (1) the first node in the node-set in the document order, (2)
a descendant node of the first node, or (3) an attribute node or a
namespace node of another node in the node-set.</li>
<li>If the first node of the input is an element node with the type
<code>enc:EncryptedData</code>, the decrypted octet stream MUST be of
type <a
href="http://www.w3.org/2001/04/xmlenc#Element">http://www.w3.org/2001/04/xmlenc#Element</a>.</li>
<li>This transform does not include <code>enc:EncryptedKey</code> elements
within its scope of specifically indicating elements, and their
exceptions, that should be decrypted. An <code>enc:EncryptedKey</code>
that exists as a descendent of <code>enc:EncryptedData</code> might be
decrypted and will be removed from the original document as part of
processing its ancestor <code>enc:EncryptedData</code> with this
transform. However, a lone <code>enc:EncryptedKey</code> will be
processed like any other data: a signature is presumed to be over that
actual element and not its decrypted form. Consequently, we recommend
that <code>enc:EncryptedKey</code> elements always be children of an
<code>enc:EncryptedData</code>'s <code>ds:KeyInfo</code> when they fall
within the scope of a signature.</li>
</ol>
<h2><a id="creation" name="creation">3 Transform Creation
(Non-Normative)</a></h2>
<p>It is out of scope of this document how to create a
<code>ds:Transform</code> element and where to insert it in a transform
sequence. In this section, we just show a way to create the element as an
advisory.</p>
<p>A <code>ds:Transform</code> element can be created by the following
steps:</p>
<ol>
<li>Apply all the transforms being placed before this transform to a data
object being signed.</li>
<li>If the transform just before this transform outputs an octet stream,
convert it to a node-set as described in <em><a
href="http://www.w3.org/TR/2001/PR-xmldsig-core-20010820/#sec-ReferenceProcessingModel">The
Reference Processing Model</a></em> (section 4.3.3.2) of the XML
Signature specification [<a href="#XML-Signature">XML-Signature</a>].</li>
<li>For each node in the node-set, if the node is an element node with the
type <code>enc:EncryptedData</code>, create an <code>dcrpt:Except</code>
element referencing the node.</li>
<li>Create a <code>ds:Transform</code> element, including the algorithm
identifier of this transform and all the <code>dcrpt:Except</code>
elements created in Step 3.</li>
</ol>
<h2><a id="example" name="example">4 Example</a></h2>
<p>Suppose the following XML document is to be signed. Note that the part of
this document (<code>[12]</code>) is already encrypted prior to signature. In
addition, the signer anticipates that some parts of this document, for
example, the <code>cardinfo</code> element (<code>[07-11]</code>) will be
encrypted after signing.</p>
<pre class="xml-example"> [01] <order Id="order">
[02] <item>
[03] <title>XML and Java</title>
[04] <price>100.0</price>
[05] <quantity>1</quantity>
[06] </item>
[07] <cardinfo>
[08] <name>Your Name</name>
[09] <expiration>04/2002</expiration>
[10] <number>5283 8304 6232 0010</number>
[11] </cardinfo>
[12] <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
Id="enc1">...</EncryptedData>
[13] </order>
</pre>
<p>In order to let the recipient know the proper order of decryption and
signature verification, the signer includes the decryption transform
(<code>[06-08]</code> below) in the signature. Assuming that an additional
encryption is done on the <code>cardinfo</code> element (<code>[22]</code>),
the recipient would see the following encrypt-sign-encrypt document:</p>
<pre class="xml-example"> [01] <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
[02] <SignedInfo>
[03] ...
[04] <Reference URI="#order">
[05] <Transforms>
[06] <Transform Algorithm="http://www.w3.org/2001/04/decrypt#">
[07] <Except xmlns="http://www.w3.org/2001/04/decrypt#"
URI="#enc1"/>
[08] </Transform>
[09] <Transform
Algorithm="http://www.w3.org/TR/2000/CR-xml-c14n-20001026"/>
[10] </Transforms>
[11] ...
[12] </Reference>
[13] </SignedInfo>
[14] <SignatureValue>...</SignatureValue>
[15] <Object>
[16] <order Id="order">
[17] <item>
[18] <title>XML and Java</title>
[19] <price>100.0</price>
[20] <quantity>1</quantity>
[21] </item>
[22] <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
Id="enc2">...</EncryptedData>
[23] <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
Id="enc1">...</EncryptedData>
[24] </order>
[25] </Object>
[26] </Signature>
</pre>
<p>The recipient should first look at the <code>Signature</code> element
(<code>[01-26]</code>) for verification. It refers to the <code>order</code>
element (<code>[16-24]</code>) with two transforms: decryption
(<code>[06-08]</code>) and canonicalization (<code>[09]</code>). The
decryption transform instructs the signature verifier to decrypt all the
encrypted data except for the one specified in the <code>Except</code>
element (<code>[07]</code>). After decrypting the <code>EncryptedData</code>
in line <code>[22]</code>, the <code>order</code> element is canonicalized
and signature-verified.</p>
<h2><a id="security" name="security">5 Security Considerations</a></h2>
<h3><a id="security-reveal" name="security-reveal">5.1 Signatures Over
Encrypted Data May Reveal Information</a></h3>
<p>When this algorithm is used to facilitate subsequent encryption of data
already signed, the digest value of the signed resource still appears in
clear text in a <code>ds:Reference</code> element. As noted by Hal Finney in
[<a href="#Finney">Finney</a>], such a signature may reveal information (via
the digest value) over encrypted data that increases the encryption's
vulnerability to plain-text-guessing attacks. This consideration is out of
scope of this document and (if relevant) should be addressed by applications.
For example, as proposed by Amir Herzberg in [<a
href="#Herzberg">Herzberg</a>], one may include a random 'salt' in a resource
being signed to increase its entropy.</p>
<p>Another approach is that when a signature referent is encrypted, one may
also encrypt the signature (or at least the <code>ds:DigestValue</code>
elements). As noted by Joseph Reagle in [<a href="#Reagle">Reagle</a>], this
latter solution works only if signature and encryption are well known by each
other. For example, the signature may not be known of because it is detached.
Or, it may be already encrypted! Consider, Alice Encrypts element A and the
Signature over the parent of A. Bob Encrypts element B (sibling of A) but not
the Signature since he doesn't know about it. Alice then decrypts A and it's
Signature, which may provide information to a subsequent plain text attack on
the encrypted B.</p>
<h3><a id="sign-what-you-see" name="sign-what-you-see">5.2 "Sign What You
See"</a></h3>
<p>This specification serves scenarios in which a person might sign encrypted
data. Because XML Signature [<a href="#XML-Signature">XML-Signature</a>] has
only a simple semantic whereby a key is associated with some data -- and
nothing more -- the signing of encrypted data is a legitimate process. For
example, someone might run a content-neutral time stamp service that will
sign any data sent to it with its time-stamping key under the semantic, "I
received this on $date $time." However, applications often explicitly or
implicitly associate more substantive semantics (e.g., authorizes, agrees,
authors) with a signature. No one should be asked to apply a signature and
its semantic to data he or she did not see. Just as the principles of <a
href="http://www.w3.org/TR/2001/PR-xmldsig-core-20010820/#sec-Seen"><em>Only
What is 'Seen' Should be Signed</em></a> and <a
href="http://www.w3.org/TR/2001/PR-xmldsig-core-20010820/#sec-See"><em>'See'
What is Signed</em></a> are important for understanding the import of an XML
Signature, they are doubly important when semantics are associated with that
signature: one MUST NOT infer that a signature over encrypted data is also a
signature over its plain text form, nor that the meaning of that signature
over the encrypted data also applies to the plain text. If one wishes to sign
the plain text form of data which is later encrypted, use the transform
specified in this document!</p>
<h2><a id="references" name="references">6 References</a></h2>
<dl>
<dt><a id="Finney" name="Finney">Finney</a></dt>
<dd>H. Finney. <a
href="http://lists.w3.org/Archives/Public/xml-encryption/2000Nov/0064">Re:
Combining signing and encrypting</a>, XML Encryption mailing list,
2000.</dd>
<dd><a
href="http://lists.w3.org/Archives/Public/xml-encryption/2000Nov/0064">http://lists.w3.org/Archives/Public/xml-encryption/2000Nov/0064</a></dd>
<dt><a id="Herzberg" name="Herzberg">Herzberg</a></dt>
<dd>A. Herzberg. <a
href="http://lists.w3.org/Archives/Public/xml-encryption/2001Mar/0025">Signing
encrypted data</a>, XML Encryption mailing list, 2001.</dd>
<dd><a
href="http://lists.w3.org/Archives/Public/xml-encryption/2001Mar/0025">http://lists.w3.org/Archives/Public/xml-encryption/2001Mar/0025</a></dd>
<dt><a id="Keywords" name="Keywords">Keywords</a></dt>
<dd>S. Bradner. <a href="http://www.ietf.org/rfc/rfc2119.txt">Key words
for use in RFCs to Indicate Requirement Levels</a>, RFC 2119, 1997.</dd>
<dd><a
href="http://www.ietf.org/rfc/rfc2119.txt">http://www.ietf.org/rfc/rfc2119.txt</a></dd>
<dt><a id="Reagle" name="Reagle">Reagle</a></dt>
<dd>J. Reagle. <a>Re: Signing and Encryption</a>, XML Encryption mailing
list, 2001.</dd>
<dd><a
href="http://lists.w3.org/Archives/Public/xml-encryption/2001Jan/0100">http://lists.w3.org/Archives/Public/xml-encryption/2001Jan/0100</a></dd>
<dt><a id="Solo" name="Solo">Solo</a></dt>
<dd>D. Solo. <a
href="http://lists.w3.org/Archives/Public/xml-encryption/2000Nov/0058">Combining
signing and encrypting</a>, XML Encryption mailing list, 2000.</dd>
<dd><a
href="http://lists.w3.org/Archives/Public/xml-encryption/2000Nov/0058">http://lists.w3.org/Archives/Public/xml-encryption/2000Nov/0058</a></dd>
<dt><a id="Tobin" name="Tobin">Tobin</a></dt>
<dd>R. Tobin. <a
href="http://lists.w3.org/Archives/Member/w3c-xml-core-wg/2000OctDec/0054">Infoset
for external entities</a>, XML Core mailing list, 2000 [<a
href="http://cgi.w3.org/MemberAccess/AccessRequest">W3C Member
Only</a>].</dd>
<dd><a
href="http://lists.w3.org/Archives/Member/w3c-xml-core-wg/2000OctDec/0054">http://lists.w3.org/Archives/Member/w3c-xml-core-wg/2000OctDec/0054</a></dd>
<dt><a id="URI" name="URI">URI</a></dt>
<dd>T. Berners-Lee, R. Fielding, and L. Masinter. <a
href="http://www.ietf.org/rfc/rfc2396.txt">Uniform Resource Identifiers
(URI): Generic Syntax</a>, RFC 2396, 1998.</dd>
<dd><a
href="http://www.ietf.org/rfc/rfc2396.txt">http://www.ietf.org/rfc/rfc2396.txt</a></dd>
<dt><a id="XML-C14N" name="XML-C14N">XML-C14N</a></dt>
<dd>J. Boyer. <a
href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">Canonical XML
Version 1.0</a>, W3C Recommendation, 2001.</dd>
<dd><a
href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a></dd>
<dt><a id="XML-Encryption" name="XML-Encryption">XML-Encryption</a></dt>
<dd>D. Eastlake and J. Reagle. <a
href="http://www.w3.org/TR/2001/WD-xmlenc-core-20011018/">XML
Encryption Syntax and Processing</a>, W3C Candidate Recommendation,
2002.</dd>
<dd><a
href="http://www.w3.org/TR/2002/CR-xmlenc-core-20020304/">http://www.w3.org/TR/2002/CR-xmlenc-core-20020304/</a></dd>
<dt><a id="XML-Schema" name="XML-Schema">XML-Schema</a></dt>
<dd>H. Thompson, D. Beech, M. Maloney, and N. Mendelsohn. <a
href="http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/">XML Schema
Part 1: Structures</a>, W3C Recommendation, 2001.</dd>
<dd><a
href="http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/">http://www.w3.org/TR/2001/REC-xmlschema-1-20010502</a></dd>
<dd>P. Biron and A. Malhotra. <a
href="http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/">XML Schema
Part 2: Datatypes</a>, W3C Rec., 2001.</dd>
<dd><a
href="http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/">http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/</a></dd>
<dt><a id="XML-Signature" name="XML-Signature">XML-Signature</a></dt>
<dd><a
href="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/">XML-Signature
Syntax and Processing</a>. D. Eastlake, J. Reagle, and D. Solo. W3C
Recommendation, February 2002. <a
href="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/">http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/</a></dd>
<dt><a id="XPath" name="XPath">XPath</a></dt>
<dd>J. Clark and S. DeRose. <a
href="http://www.w3.org/TR/1999/REC-xpath-19991116">XML Path Language
(XPath) Version 1.0</a>, W3C Recommendation, 1999.</dd>
<dd><a
href="http://www.w3.org/TR/1999/REC-xpath-19991116">http://www.w3.org/TR/1999/REC-xpath-19991116</a></dd>
</dl>
</body>
</html>