The Digital Signature


The XML signature specification (see Reference 2) describes a means to sign XML documents. The Signature element consists of three major parts:

  • A description of the signed elements, which may be an entire document, or selected parts of a document

  • A digital signature

  • Information on the key used to sign the document

PIDF-LO Transformation

Since the content of XML documents is indeterminate based on similar data sets, Reference 3 describes a set of transforms that may be applied to a document before applying a digital signature.

The input PIDF-LO document must be canonicalized using either Canonical XML, identified by the URI http://www.w3.org/TR/2001/REC-xml-c14n-20010315 or Exclusive Canonical XML, identified by the URI http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/. Note that both of these canonicalization methods remove comments from the source document (see References 3 and 4).

The signature form selected for this document is an enveloped signature. Therefore, the enveloped signature transform (identified by the URI http://www.w3.org/2000/09/xmldsig#enveloped-signature) must be applied to the document.

To limit the coverage of the signature to the necessary elements only, a filter is applied to the input document in order to select the correct elements for signing. It is desirable that the transformed document is also a valid PIDF-LO. In addition, the transform also excludes tuple elements other than the element that is directly signed. This ensures that other content may be included in other tuple elements, including other digital signatures.

The following elements are selected:

  • The presence element, which includes the entity attribute

  • The location-info element and all of its contents

  • The timestamp element associated with the signed tup1e element

  • The domain-auth element

The minimum set of elements required to ensure that the signed document is a valid PIDF-LO are also to be included.

The XML Path Language (XPath) filter defined later in this section meets the preceding criteria. For convenience, and to reduce the size of a signed PIDF-LO document, this transform may be identified by the URN http://sitacs.uow.edu.au/ns/location/held/domain-auth#PIDF-LO.

Note that any elements from other namespaces included within the domain-auth element are selected by this XPath filter. This ensures that additions to this element are covered by the digital signature.

Algorithms

As recommended in Reference 2, implementations of this specification must provide the following algorithms:

  • Digest algorithm The SHA1 digest, as identified by the URN http://www.w3.org/2000/09/xmldsig#sha1.

  • Signature algorithm DSA with SHA1, as identified by the URN http://www.w3.org/2000/09/xmldsig#dsa-sha1.

  • Canonicalization method Canonical XML (Reference 3), as identified by the URN http://www.w3.org/TR/2001/REC-xml-cl4n-20010315.

  • Transforms The enveloped signature transform, as identified by the URN http://www.w3.org/2000/09/xmldsig#enveloped-signature; and the transform defined in this note, as identified by the URN http://sitacs.uow.edu.au/ns/location/held/domain-auth#PIDF-LO.

It is also recommended that the following also be supported:

  • Signature algorithm The PKCS1 (RSA-SHA1) signature algorithm, as identified by http://www.w3.org/2000/09/xmldsig#rsa-sha1.

  • Canonicalization method Exclusive Canonical XML, as identified by the URN http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/ (see Reference 4).

Signature Key Data

Reference 2 describes a number of methods for describing the key used to sign the document. For this specification, the KeyInfo element must be provided in the signature element.

The domain authority must also describe a means to retrieve an X.509 certificate that includes the key used to sign the document. This can be done either by including an x509Certificate element, or by referencing another certificate.

A reference to a certificate within the same document may be made using the x509SubjectName element or a fragment identifier URI. A fragment identifier URI might be applicable where multiple signatures are applied to different parts of the document. External certificate sources should be described by URI only in the RetrievalMethod element. It is recommended that the scheme for the RetrievalMethod URI indicates a secure protocol, such as secure HTTP, as an https: URI.

The LIST may also include additional information in the Keylnfo element that could assist the location user in validating the certificate. For example, a certificate chain and certificate revocation list may be added. However, this specification does not specify how the location user validates the certificate.



IP Location
IP Location
ISBN: 0072263776
EAN: 2147483647
Year: 2004
Pages: 129

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net