P3P, the Platform for Privacy Preferences [P3P], provides a syntax for Web sites to specify their privacy policies in a standard format. A privacy policy indicates what information the Web site retains and how it uses that information. P3P seeks to inform Web services users of the available policies of the sites they visit. Users can select among the available policies or refuse to use the offered service if no acceptable policy is acceptable. The intention in standardizing the expression of privacy policies is to enable the automation of such decisions. Clearly, user assurance of the authenticity of such privacy policy information is desirable for any user who wants to have confidence in the policy descriptions and, potentially, the ability to call on third parties to take action if such policies are violated. 11.1.1 Linkage of XMLDSIG to P3P SemanticsAlthough P3P policies appear in XML, P3P's syntax does not permit the inclusion of signatures in its constructs. However, the [P3P-Sec] W3C Note profiles a way to "assure" a P3P policy with an enveloping or detached XML digital signature. This assurance means that the specified dispute service enforces the signed P3P policy using the specified remedies, as long as the signature key matches the dispute service key. You accomplish this goal by specifying an "Assures" element that appears within a SignatureProperty element in a SignatureProperties element. The signing of such a SignatureProperties by a Reference from a Signature element binds the assurance to the key employed for this signing. In addition, the "verification" attribute of a "disputes" clause in the P3P policy can point to a signature containing an Assures element. The signature can then be found starting with the policy, as shown in Example 11-1. Applications must use additional mechanisms to determine whether the application can trust that the key belongs to the dispute service. In addition, anyone depending on a signature should confirm that the key size and type and algorithms in use provide adequate security for the user's purposes. Example 11-1 P3P policy with signature verification http://www.example.org/p3p.xml <POLICY xmlns="http://www.w3.org/2000/09/15/P3Pv1" discuri="http://www.example.com/PrivacyPracticeBrowsing.html"> ... <DISPUTES-GROUP> <DISPUTES resolution-type="independent" service="http://www.PrivacySeal.example.org" short-description="PrivacySeal.example.org" verification="http://www.example.org/Signature.xml"> <IMG src="/books/2/329/1/html/2/http://www.PrivacySeal.example.org/Logo.gif" alt="PrivacySeal's logo"/> <REMEDIES><correct/></REMEDIES> </DISPUTES> </DISPUTES-GROUP> <STATEMENT> <PURPOSE><admin/><develop/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><stated-purpose/></RETENTION> <DATA-GROUP> <DATA ref="#dynamic.clickstream.clientip"/> <DATA ref="#dynamic.http.useragent"/> </DATA-GROUP> </STATEMENT> </POLICY> 11.1.2 Specific Assurance SyntaxThe syntax of the Assures element follows: Schema Definition: <?xml version='1.0'?> <!DOCTYPE schema SYSTEM 'http://www.w3.org/1999/XMLSchema.dtd'> <schema targetNamespace='http://www.w3.org/2001/02/xmldsig-p3p-profile' version='0.1' xmlns='http://www.w3.org/2000/10/XMLSchema' xmlns:profile='http://www.w3.org/2001/02/xmldsig-p3p-profile' elementFormDefault='qualified'> <element name='Assures'> <complexType> <all> <element ref='profile:P3P-Policy' minOccurs='0' /> <element ref='profile:Signature' minOccurs='0' /> </all> <attribute name='via' type='URI'/> <attribute name='Id' type='ID' use='optional'/> </complexType> </element> <element name='P3P-Policy'> <complexType> <sequence> <any namespace='http://www.w3.org/2000/10/18/P3Pv1'/> </sequence> <attribute name='Id' type='ID' use='required'/> </complexType> </element> <element name='Signature'> <complexType> <sequence> <any namespace='http://www.w3.org/2000/09/xmldsig#'/> </sequence> <attribute name='Id' type='ID' use='required'/> </complexType> </element> </schema> 11.1.3 P3P XMLDSIG UseApplications and users can use the P3P profiled XML signature in several ways; some examples follow. Other arrangements are also possible. Detached Signature ElementA Signature element can appear separately that points to and provides assurance for a P3P policy. Example 11-2 shows a made-up Signature element that signs a P3P policy through its first Reference and then signs the semantic assertion that this policy is assured through its second Reference. Example 11-2 Detached P3P signature<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000907"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.foo.example/p3p.xml"> <Transforms> <Transform Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000907"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>V3CLi8jBwTEODuttbdtXV5e3t6k=</DigestValue> </Reference> <Reference URI="#Assurance1" Type="http://www.w3.org/2000/09/xmldsig#SignatureProperties"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>/GgdHYV6emaoqH8UFIdgYKFMTBE=</DigestValue> </Reference> </SignedInfo> <SignatureValue> Kslvb0xDQ05DQzMeHnXc3GTk5C08PJEJCdeHh6b8/Ijp6Sp1ddRqag== </SignatureValue> <KeyInfo> <DSAKeyValue> ...KeyInfo of the Disputes Service... </DASKeyValue> </KeyInfo> <Object> </SignatureProperties> <SignatureProperty Target="#Signature1" xmlns="http://www.w3.org/2000/09/xmldsig#"> <Assures Policy="http://www.foo.example/p3p.xml" xmlns="http://www.w3.org/2001/02/xmldsig-p3p-profile"/> </SignatureProperty> </SignatureProperties> </Object> </Signature> Enveloping Signature/AssuresRather than referencing an external policy, the Signature element can also enclose the policy by adding another Object within the Signature to contain it. The Assures element can also directly enclose the policy. These arrangements are relatively straightforward, so this book does not provide a specific example of them. 11.1.4 LimitationsFor P3P to succeed, widespread compatibility and interoperability are clearly desirable. Consequently, the P3P XMLDSIG profile places stringent limitations on the signatures that you use in this context. The following list identifies these limitations and the identifying URIs for allowed choices.
|