OASIS Open Document Format for Office Applications (OpenDocument) TC

 View Only
  • 1.  Digital Signatures

    Posted 05-05-2010 00:49
    I'd like to start off by asking a few questions - my primary interest is achieving a specification that gives me as an implementer enough information that I can sign ODF documents and interoperate with other implementers. I'm also the author for the MS-OFFCRYPTO document where we specify our handling of encryption and digital signatures, as well as being the developer who deals with the core digital signature code for Office.
    
    Just saying that you can sign a document with xmlDSig and optionally include XAdES information provides (IMHO) an overly loose specification. An implementer than has to worry about having a completely arbitrary xmlDSig and XAdES parser, and that can certainly lead to complications. Given that I do not currently have an implementation for ODF, I don't have a lot of energy on the choices you make, but I would like to be able to sign ODF documents with Office.
    
    To get into the details, a Signature element is composed of:
    
    - SignedInfo
    - SignatureValue
    - KeyInfo (0 or 1)
    - Object (0 or more)
    
    The SignedInfo contains the Reference elements to be signed, among other things. Some implementations have Reference URIs that resolve to XML external to the Signature, others may have a requirement that these top-level Reference elements may only resolve to XML within the Signature, typically an Object element, a Manifest element contained within an Object, or in the case of XAdES, SignedProperties. If the top-level References must have URIs that resolve internal to the Signature, then a Manifest would be required. Using a Manifest is of some benefit, because resolving the References contained within an Object is defined as app-specific, which makes you free to have a Transform that may be something defined outside of xmlDSig. I don't know if such a Transform would be needed for this application. The reason I ask about this is that a Transform could potentially cause problems - for example, an XLST transform could lead to a violation of "What you see is what you sign". It may be beneficial to make a requirement that a top-level Reference may only have a canonicalization transform.
    
    SignatureValue is non-controversial - it is just base64 encoding of the actual signature bits.
    
    KeyInfo is listed as optional, but I'm not sure how a practical signature (especially for a document) could exist without one. The catch with this element is that it has quite a lot of flexibility (see [xmldsig] section 4.4). We use a X509Data element in our signatures, but that element is also quite flexible. In our case, we only ever place the top-level certificate as a X509Certificate element into the X509Data, but there are other valid choices to be made. It would be helpful if the standard specified which of these choices were required, allowed and disallowed.
    
    An Object is used to contain a Manifest for app-specific References, and an Object is also used as a container for the single XAdES element.
    
    There are a similar series of decisions to be made when implementing a XAdES element - for an example of the decisions we made, you can look in section 2.5.2.6 of MS-OFFCRYPTO. I am not saying that these decisions are globally the right thing for other document types, but that we need to consider branches in the implementation and what choices to define.
    
    A complex issue is exactly what within a document must or should be signed, and how partial signatures might be treated. This can be left up to implementers to provide flexibility, but the trade-offs are that if you don't sign enough, then you have a loose signature that might not be valid from a security standpoint, and if you sign too much, then you might have signatures that get broken just by updating metadata.
    
    A final point is that there are already some implementers making signatures today, and it would be a good thing to have their existing signatures meet the specification, assuming they're not doing anything incorrect. I don't know which implementers are making signatures now - it would be helpful to me to know that and see what I might end up parsing.
    
    There are other issues, such as encrypt then sign, or sign then encrypt, but I don't want to deal with too much all at once.
    
    Thanks for allowing me to join this group, and I hope I can be of help.
    
    
    


  • 2.  Re: [office] Digital Signatures

    Posted 05-05-2010 01:58
    I should have said it before, but welcome aboard!
    
     Do you go by David or Dave?  (We already have one David, but we can 
    manage either way).
    
    I know it is early for those in the west coast, especially for a Monday 
    morning, but I hope you can join us for our weekly TC meeting, which is at 
    1330-14130 UTC.  You can see the meeting schedule here:  
    http://www.oasis-open.org/apps/org/workgroup/office/event.php?event_id=26793&day=1273485600
    
    Note that meetings for the last two Monday's in May are canceled.  I think 
    you can get the events in iCalendar format by clicking the "download" on 
    the above page.
    
    I've put a few other bits of possibly useful information in this wiki 
    page, which you might want to look at:  
    http://wiki.oasis-open.org/office/New_Member_Orientation
    
    Regards,
    
    -Rob
    Co-Chair, OASIS ODF TC
    
    David LeBlanc 


  • 3.  RE: [office] Digital Signatures

    Posted 05-05-2010 02:42
    I go by David, but I've been called far worse than Dave...
    
    If I'm not mistaken, the meeting would be at 5:30 AM Pacific? I think I'd have to be specifically needed to be up at that hour. If signatures is the topic, then I can get up early.
    
    


  • 4.  RE: [office] Digital Signatures

    Posted 05-05-2010 03:03
    On Tue, 2010-05-04 at 20:41 -0600, David LeBlanc wrote:
    > If I'm not mistaken, the meeting would be at 5:30 AM Pacific? I think
    > I'd have to be specifically needed to be up at that hour. If
    > signatures is the topic, then I can get up early.
    
    Since the TC meetings are at 7:30 AM Mountain Daylight (my time), it
    should be 6:30 AM Pacific Daylight, still not great but better than
    5:30.
    
    Andreas 
    > 
    
    
    
    


  • 5.  RE: [office] Digital Signatures

    Posted 05-05-2010 04:33
    Yup, 6:30am PDT, though I'm not certain that it's better than 5:30 :)
    
    Do we want to add digital signatures to our next meeting or simply continue the discussion on email?
    
    Cherie
    
    


  • 6.  RE: [office] Digital Signatures

    Posted 05-05-2010 19:00
    Cherie Ekholm 


  • 7.  RE: Digital Signatures

    Posted 05-05-2010 09:56
    David,
    
    
    thanks for the comments, one remark / question though:
    
    > We use a X509Data element in our signatures, but that element is also quite flexible.
    > In our case, we only ever place the top-level certificate as a X509Certificate element
    > into the X509Data, but there are other valid choices to be made.
    
    So that would be the certificate used to sign a document (not the whole certificate chain).
    IIRC OpenOffice 3.2 also does this, but I think it is more convenient to include the whole
    chain, especially when dealing with very large deployments.
    
    In .be, our ID cards have a signing certificate signed by a "Citizen CA" certificate, and
    "Citizen CA"  is signed by the "Belgian Root CA". The cards are valid for 5 years.
    
    Now, to distribute the load of 9 million eID cards (and counting), there are like 100
    "Citizen CA's" in use, and a new one is created each month.
    
    So if a signed document only contains the signing certificate and one wants to verify the
    chain, one has to have the "correct" Citizen CA certificate installed.
    
    If the document would contain the whole certificate chain, one only has to install the
    Belgian Root CA (replaced every 5 years or so)
    
    
    > It would be helpful if the standard specified which of these choices were required,
    > allowed and disallowed.
    
    +1
    
    Best regards
    
    Bart


  • 8.  RE: Digital Signatures

    Posted 05-05-2010 17:03
    Inline - 
    
    ________________________________________
    From: Hanssens Bart [Bart.Hanssens@fedict.be]
    Sent: Wednesday, May 05, 2010 2:56 AM
    To: David LeBlanc; 'ODF TC List'
    Subject: RE: Digital Signatures
    
    David,
    
    
    thanks for the comments, one remark / question though:
    
    >> We use a X509Data element in our signatures, but that element is also quite flexible.
    >> In our case, we only ever place the top-level certificate as a X509Certificate element
    >> into the X509Data, but there are other valid choices to be made.
    
    > So that would be the certificate used to sign a document (not the whole certificate chain).
    IIRC OpenOffice 3.2 also does this, but I think it is more convenient to include the whole
    chain, especially when dealing with very large deployments.
    
    You can do that, but if you are supporting XAdES, there is a designated set of elements to put the certificate chain (along with hashes to prevent exchanging a cert with another that has the same key pair). If you put all of the certs in the KeyInfo, then the parser has to do extra work to figure out which of the certs is the signing cert.
    
    This isn't insurmountable, but it is a nuisance. If you are using XAdES, a somewhat nicer approach is to put the signing certificate into the KeyInfo, and then you place the chain into the CertificateValues element of the XAdES section. Note that XAdES does specifically accomodate certs placed in the KeyInfo ([xades] 7.6.1), and notes that any certs already present in KeyInfo do not have to be duplicated into the CertificateValues.
    
    >In .be, our ID cards have a signing certificate signed by a "Citizen CA" certificate, and
    "Citizen CA"  is signed by the "Belgian Root CA". The cards are valid for 5 years.
    
    >Now, to distribute the load of 9 million eID cards (and counting), there are like 100
    "Citizen CA's" in use, and a new one is created each month.
    
    >So if a signed document only contains the signing certificate and one wants to verify the
    chain, one has to have the "correct" Citizen CA certificate installed.
    
    You don't normally have to install intermediate CAs. A cert should contain the information needed to get the next cert in the chain - we need to contact the intermediate CA(s) to get revocation information in any case.
    
    > If the document would contain the whole certificate chain, one only has to install the
    Belgian Root CA (replaced every 5 years or so)
    
    It does potentially save some network traffic, and it is handy to have the chain, but shouldn't be required to be able to evaluate a chain. With that many intermediate CAs, I think you don't want to install them as trust anchors - there's too much chance that one of them might end up compromised.
    
    BTW, it doesn't always give you all the information. If there is a bridge CA and there are multiple chains in play, the chain I use to validate a cert may not be the chain you use to validate a cert. It is impractical and undesirable to attempt to place all possible chains into the signature, so you'd normally go with the shortest available chain at signing time.
    
    I agree it is a good thing to have the whole chain, and we have even had one or two customers ask for Office signatures to do the same. The question would be whether to place them in the KeyInfo or in the XAdES CertificateValues. Given that current implementations that do not include XAdES do place the chain in KeyInfo, that should certainly be allowed, but the question would be whether it is a MUST or a MAY to place them there.
    
    A second question is whether it would be desirable to ask an implementer to place an Id attribute on the signing cert, though a concern that always comes up with Id attributes is that they need to be unique within an XML document, and given that you have an XML element which could contain multiple signatures, there would need to be some way to ensure uniqueness. This also comes into play when adding the XAdES capability to include CounterSignature elements, which will have nested Signature elements.