At 3:16 PM -0600 6/30/05, Antone Roundy wrote:
On Thursday, June 30, 2005, at 12:58 PM, James M Snell wrote:
6. If an entry contains any "enclosure" links, the digital
signature SHOULD cover the referenced resources. Enclosure links
that are not covered are considered untrusted and pose a
potential security risk
Fully disagree. We are signing the bits in the document, not the
outside. There is "security risk", those items are simply unsigned.
I tend to consider enclosures to be part of the document, even if
they are included by reference. As a potential consumer of an
enclosure I want to know whether or not the referenced enclosure
can be trusted. Is it accepted to change the SHOULD to a MAY with
a caveat outlining the security risk?
Perhaps a good approach would be for the signed entry to contain a
separate signature for the enclosure--so the entry's signature would
cover the bits in the enclosure's signature, but not the bits in the
enclosure itself. That way, the signature for the entry could be
verified without having to fetch the enclosure.
Where would that signature go? Did we decide that <link> doesn't
have to be empty? If so, that might be a good place...but then I
don't have any experience with signed XML, so I don't know whether
there would be technical difficulties with putting it in any
particular place.
This is possible. It translates to "I say that the bits gotten from
<here> have a hash of <value>". If the hash doesn't match, you can't
assume anything about the bits; if it does, the other semantic data
in the message can apply to them ("...and it is a picture of me",
"...and it is a program that will delete your data"...).
--Paul Hoffman, Director
--Internet Mail Consortium
