Validation and Semantics of XML Digital Signatures Paul A. Lambert April 15, 1999 plambert@sprintmail.com

Overview Meaning Validation processing Key Usage Delegation Recommendations

What is the meaning of a Signature? I approve? I created? I read? I grant? Signature “meaning” is not part of the signed document! XML signatures must carry signature meaning separate from signed information

Validation Determine algorithms, signature formats, and key Hash appropriate data Use appropriate algorithms and key to create signature over hashed information Compare computed signature to attached signature Determine if the key was trusted for this usage is the key valid? Is it appropriate for this XML application?

Key Usage Validation: Usage must be tied to XML schema cryptographic is the key valid? is the key appropriate fo this application? Usage must be tied to XML schema Embed XML in X.509? Create XML protery authorization certificates!

Delegation and Authorization XML statements can delegate trust to determine key usage Trust management Assignment of rights to make statements in specific ranges. Grant rights for ranges of target and range of signature semantic property values

Signatures versus Authorization Signatures are statements of the form: “In {schema}, {key_holder} says {object}has {property}”. Authorization statements are of the form: “In {schema}, {key_holder-1} grants {key_holder-2} the rights to make statements in {object_range}{property_range}”.

Recommendations XML signatures should include signature semantics perhaps all XML signatures are a type of RDF statement XML signature specification must include complete description of validity processing Authorization should be supported perhaps a specifc type of RDF statement to grant property ranges to subject ranges

Contact Information Paul A. Lambert Certicom Corp. 25801 Industrial Blvd. Hayward, CA, 96565 +1-510-780-5400 plambert@sprintmail.com