You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cocoon.apache.org by Jason Foster <ja...@uwaterloo.ca> on 2002/02/17 05:10:54 UTC
xml-signature
Just to toss an idea out into the fray...
Now that the W3 has recommended xml-signature, does it make sense to try
and figure out how to incorporate it into the Cocoon pipeline model?
I've put a (very) little thought into this and I'm not sure what approach
makes the most sense. For documents serialized as XML, then a
modification to the XMLSerializer should work. For other serializers
where you can't easily add XML content, then my guess is that you have to
go "out of band".
Unfortunately the "definition" of a serializer is that it is the last
thing in a pipeline. It isn't (I think) possible using the current
sitemap semantics to define something that takes place after the
serializer, which means calculating the signature of the generated content
is impossible.
Does anyone else see value in this, and if so, how would you add this
functionality?
Jason Foster
---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org
Re: xml-signature
Posted by Stefano Mazzocchi <st...@apache.org>.
Colin Britton wrote:
>
> We looked a while ago at building a transformer based on the IBM XML
> security suite, but the licence is a commercial one. It has some good
> features...
>
> Digital signature implementation based on "XML-Signature Syntax and
> Processing" by W3C/IETF
> XML encryption implementation based on "XML Encryption Syntax and
> Processing" by W3C
> XML Access Control Language and implementation
> http://www.alphaworks.ibm.com/tech/xmlsecuritysuite
>
> Does anyone know of a similar suite that is open source?
ehm
http://xml.apache.org/security/
--
Stefano Mazzocchi One must still have chaos in oneself to be
able to give birth to a dancing star.
<st...@apache.org> Friedrich Nietzsche
--------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org
Re: xml-signature
Posted by Colin Britton <cb...@metatomix.com>.
We looked a while ago at building a transformer based on the IBM XML
security suite, but the licence is a commercial one. It has some good
features...
Digital signature implementation based on "XML-Signature Syntax and
Processing" by W3C/IETF
XML encryption implementation based on "XML Encryption Syntax and
Processing" by W3C
XML Access Control Language and implementation
http://www.alphaworks.ibm.com/tech/xmlsecuritysuite
Does anyone know of a similar suite that is open source?
rgds
CB
----- Original Message -----
From: "Michael Hartle" <mh...@hartle-klug.com>
To: <co...@xml.apache.org>
Sent: Sunday, February 17, 2002 8:29 AM
Subject: Re: xml-signature
> Jason Foster wrote:
>
> > Now that the W3 has recommended xml-signature, does it make sense to
> > try and figure out how to incorporate it into the Cocoon pipeline model?
> > I've put a (very) little thought into this and I'm not sure what
> > approach makes the most sense. For documents serialized as XML, then
> > a modification to the XMLSerializer should work. For other
> > serializers where you can't easily add XML content, then my guess is
> > that you have to go "out of band".
> > Unfortunately the "definition" of a serializer is that it is the last
> > thing in a pipeline. It isn't (I think) possible using the current
> > sitemap semantics to define something that takes place after the
> > serializer, which means calculating the signature of the generated
> > content is impossible.
> >
> > Does anyone else see value in this, and if so, how would you add this
> > functionality?
>
> What about a SigningTransformer and a VerifyingTransformer ? The
> SigningTransformer would then sign the referenced portions as the last
> transformer in a pipeline; the VerifyingTransformer would check the
> signatures as the first transformer, either passing the correct content
> through or somehow marking the content or signature as invalid. I hope I
> understood the spec correctly so far; I guess that the specification
> does not apply to other content than serialized XML.
>
> Best regards,
>
> Michael Hartle,
> Hartle & Klug GbR
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
> For additional commands, email: cocoon-dev-help@xml.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org
Re: xml-signature
Posted by Jason Foster <ja...@uwaterloo.ca>.
<snip/>
> We could handle it like X/CIncludeTransformers work, letting the
> SignatureTransformer fire up on something like
>
> <sig:sign src="http://some.external.doc/to/be/sig.ned">
> <sig:Transforms>
> <sig:Transform
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> </sig:Transforms>
> <sig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> </sig:sign>
>
> That way it would be possible to both sign an arbitrary resource and
> portions of the already generated content, via an XPath expression for
> example.
Sounds good. The only question now is whether there is anyone with the
free time and knowledge to implement this new transformer. I'm swamped
until April.
Jason Foster
---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org
Re: xml-signature
Posted by Michael Hartle <mh...@hartle-klug.com>.
Jason Foster wrote:
>> What about a SigningTransformer and a VerifyingTransformer ? The
>> SigningTransformer would then sign the referenced portions as the
>> last transformer in a pipeline; the VerifyingTransformer would check
>> the signatures as the first transformer, either passing the correct
>> content through or somehow marking the content or signature as
>> invalid. I hope I understood the spec correctly so far; I guess that
>> the specification does not apply to other content than serialized XML.
>
> My take on the specification, but I can't claim perfect understanding,
> is that it covers signing any kind of content. Quoting from the
> Introduction:
>
>> XML Signatures can be applied to any digital content (data object),
>> including XML. An XML Signature may be applied to the content of one
>> or more resources. Enveloped or enveloping signatures are over data
>> within the same XML document as the signature; detached signatures
>> are over data
>> external to the signature element.
>
You are right, you can sign any digital content, but the signature
itself is detached, not contained in these non-xml binary formats;
understood - the example at
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/#sec-o-Simple shows
a signature for http://www.w3.org/TR/2000/REC-xhtml1-20000126.
> For enveloped signatures, your suggestion should work fine. The trick
> seems to be how to handle detached signatures.
We could handle it like X/CIncludeTransformers work, letting the
SignatureTransformer fire up on something like
<sig:sign src="http://some.external.doc/to/be/sig.ned">
<sig:Transforms>
<sig:Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</sig:Transforms>
<sig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</sig:sign>
That way it would be possible to both sign an arbitrary resource and
portions of the already generated content, via an XPath expression for
example.
Best regards,
Michael Hartle,
Hartle & Klug GbR
---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org
Re: xml-signature
Posted by Jason Foster <ja...@uwaterloo.ca>.
> What about a SigningTransformer and a VerifyingTransformer ? The
> SigningTransformer would then sign the referenced portions as the last
> transformer in a pipeline; the VerifyingTransformer would check the
> signatures as the first transformer, either passing the correct content
> through or somehow marking the content or signature as invalid. I hope I
> understood the spec correctly so far; I guess that the specification does
> not apply to other content than serialized XML.
My take on the specification, but I can't claim perfect understanding, is
that it covers signing any kind of content. Quoting from the Introduction:
> XML Signatures can be applied to any digital content (data object),
> including XML. An XML Signature may be applied to the content of one or
> more resources. Enveloped or enveloping signatures are over data within
> the same XML document as the signature; detached signatures are over data
> external to the signature element.
For enveloped signatures, your suggestion should work fine. The trick
seems to be how to handle detached signatures.
I think the only solution is to develop a generator that:
1) requests an arbitrary resource from somewhere (within the sitemap;
outside world; etc.)
2) generates the xml-signature document
3) sends this new document down the pipeline
This shouldn't (hopefully) be too hard as we already (I think) have the
ability to request information from the outside world (the aggregation
stuff).
Thoughts?
Jason Foster
---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org
Re: xml-signature
Posted by Michael Hartle <mh...@hartle-klug.com>.
Jason Foster wrote:
> Now that the W3 has recommended xml-signature, does it make sense to
> try and figure out how to incorporate it into the Cocoon pipeline model?
> I've put a (very) little thought into this and I'm not sure what
> approach makes the most sense. For documents serialized as XML, then
> a modification to the XMLSerializer should work. For other
> serializers where you can't easily add XML content, then my guess is
> that you have to go "out of band".
> Unfortunately the "definition" of a serializer is that it is the last
> thing in a pipeline. It isn't (I think) possible using the current
> sitemap semantics to define something that takes place after the
> serializer, which means calculating the signature of the generated
> content is impossible.
>
> Does anyone else see value in this, and if so, how would you add this
> functionality?
What about a SigningTransformer and a VerifyingTransformer ? The
SigningTransformer would then sign the referenced portions as the last
transformer in a pipeline; the VerifyingTransformer would check the
signatures as the first transformer, either passing the correct content
through or somehow marking the content or signature as invalid. I hope I
understood the spec correctly so far; I guess that the specification
does not apply to other content than serialized XML.
Best regards,
Michael Hartle,
Hartle & Klug GbR
---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org