digital signature comments
Greg Whitehead <gwhitehead@signio.com> Tue, 21 September 1999 21:08 UTC
Received: from one.eListX.com (one.elistx.com [209.116.252.130]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA09747 for <trade-archive@lists.ietf.org>; Tue, 21 Sep 1999 17:08:53 -0400 (EDT)
Received: from one.elistx.com by one.eListX.com id aa09252; 21 Sep 99 16:57 EDT
Received: from e4-0-3-wcdc-paymentnet3.digisle.net by one.eListX.com id aa09240; 21 Sep 99 16:56 EDT
Received: from mail.paymentnet.com by e4-0-3-wcdc-paymentnet3.digisle.net via smtpd (for one.elistx.com [209.116.252.130]) with SMTP; 21 Sep 1999 21:04:38 UT
Received: by CORPMAIL with Internet Mail Service (5.5.2448.0) id <Q7LZ494K>; Tue, 21 Sep 1999 13:56:09 -0700
Message-ID: <6B962A1EE646D31193270008C7A4BAB5093327@CORPMAIL>
From: Greg Whitehead <gwhitehead@signio.com>
To: "'ietf-trade@lists.eListX.com'" <ietf-trade@lists.eListX.com>
Subject: digital signature comments
Date: Tue, 21 Sep 1999 13:56:07 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Content-Type: text/plain; charset="iso-8859-1"
Sender: ietf-trade-owner@lists.eListX.com
Precedence: bulk
X-elistx: ietf-trade
Source-Info: From (or Sender) name not authenticated.
I'm new to the mailing list, so forgive me if these points have been discussed before. I'm looking forward to meeting everyone at the upcoming meeting in DC. First, I come from the PKIX world, so my attention was immediately drawn to the digital signature aspects of the proposal: [1] draft-ietf-trade-iotp-v1.0-dsig-03.txt [2] draft-ietf-trade-hiroshi-dom-hash-03.txt I understand that v2 of the IOTP protocol may use a completely different signature syntax, based on the XMLDSIG WG output, but I offer the following comments on the v1 syntax [1] in the interest of producing interoperable implementations: 3.3 OriginatorInfo and RecipientInfo ------------------------------------ These are both familiar terms from S/MIME CMS, but I was initially confused by the inclusion of RecipientInfo in a signature. In CMS, a RecipientInfo is used to exchange a symmetric cipher key with a recipient (using either RSA or DH) when encrypting data for that recipient. OriginatorInfo was expected, as it is used in CMS when signing with DSA (but not with RSA). It's role has been expanded in IOTP-DSIG to identify the signer, which is fine (that info appears elsewhere in CMS). I eventually figured out that the intent of including RecipientInfo was to enable "signature" algorithms based on shared secrets. I suppose that's fine as long as the properties of these algorithms are well understood: the proposed HMAC signature, for example, couldn't be used for non-repudiation since the recipient could trivially forge the signature. 4.3.1 Signature --------------- >From the text: > The process for generating the signed value is a multi-step process, > involving a canonicalization algorithm, a digest algorithm, and a > signature algorithm. > > First, the Manifest is canonicalized with an algorithm specified > within the Algorithm element of the Manifest. The canonicalized form > removes any inconsistencies in white space introduced by XML parsing > engines. > > This canonicalized form is then converted into a digest form which > uniquely identifies the canonicalized document. Any slight > modification in the original document will result in a very different > digest value. This suggests that a canonicalization algorithm must be specified in the Manifiest (section 4.3.2), yet the Algorithm type (section 4.3.3) provides no way to do that. It appears that canonicalization has been folded into the digest algorithm, which makes sense since the two are sometimes inseparable (DOMHASH), but this should be clarified. If DOMHASH is, in fact, meant to include canonicalization, it would be good if its spec [2] provided specific details (along with test cases and their respective digest values). 4.4.2 IssuerAndSerialNumber --------------------------- As used in CMS, IssuerAndSerialNumber is a binary structure lifted directly from the certificate. In IOTP-DSIG, the issuer name (X.500 DN) and serial number (ASN.1 Integer) are each represented as strings. Unfortunately, converting DNs to strings is non-trivial (internally, DNs are binary structures that use ASN.1 OIDs to identify attributes and determine the encoding of their values). If IssuerNameAndSerialNumber is simply meant to serve as an opaque identifier, to name Certificate elements included in IOTPSignatures, then there is no problem: any scheme that produces unique identifiers will work (why not just use an IDREF in that case?) If, however, it is meant to serve as a key for locating certificates in an external repository, such as an LDAP directory, then the format needs to be more precisely specified. I would suggest rfc2253 (LDAPv3: UTF-8 String Representation of Distinguished Names) as a starting point: http://www.ietf.org/rfc/rfc2253.txt -Greg -- Greg Whitehead Chief Scientist Signio, Inc. 1600 Bridge Parkway, Suite 201 Redwood City, CA 94065 650-622-2250 650-622-2201 (fax) gwhitehead@signio.com http://www.signio.com ----------------------------------------------------------------------- Message addressed to: ietf-trade@lists.elistx.com Archive available at: http://www.elistx.com/archives/ietf-trade/ To (un)subscribe send a message with "subscribe" or "unsubscribe" in the body to: ietf-trade-request@lists.elistx.com
- Re: digital signature comments Yoshiaki KAWATSURA
- digital signature comments Greg Whitehead
- Re: digital signature comments Donald E. Eastlake 3rd