XML-RSig

From lid.netmesh.org

Jump to: navigation, search

Contents

Purpose

XML-RSig is a much simpler alternative to the XML-DSig standard for signing XML content. Our goal with XML-RSig has not been to address all the requirements that XML-DSig addresses, but to compromise on the requirements in order to allow for a much simpler solution.

The purpose of XML-RSig within the LID architecture is to allow one or more nodes in an XML document to be digitally signed, using the public/private key pair associated with LID URLs and whose public part can be retrieved from a URL.

While not currently within the LID architecure, XML-DSig could be used in a similar manner to XML-RSig if desired. While not currently defined, XML-RSig could be extended to cover encryption.

Signature Algorithm

Given an XML document, the XML-RSig algorithm proceeds as follows:

  1. Select a node in the XML document tree to sign. This node, including all of its attributes and child nodes (recursively), will be signed.
  2. Cut out the text string in the XML file that corresponds to the selected node, from the first character of the of start tag through, and including the last character of the end tag, but no trailing white space (such as newline characters).
  3. In the cut-out text, replace any white space characters immediately preceding the end of any line with their hexadecimal escaped form (e.g.   instead of a blank)
  4. In the resulting text, insert all XML namespace declarations that are necessary in order to unambiguously resolve all XML statements.
  5. As the first child node of the resulting XML fragment, insert the XML-RSig node start tag, with all attributes (see below), immediately followed by the closing tag, without any white space or other content between the start and the end tag.
  6. Run the signature algorithm, in “text mode�? with the resulting text as an input blob. To convert characters to and from bytes, apply the character set of the overall XML document.
  7. Insert the signature, verbatim as produced by the signature algorithm, between the start and end tags of the XML-RSig node.
  8. Re-insert the resulting XML fragment, as-is, at the same place in the original XML file from which it was originally removed. Make sure no whitespace is added or removed in the process.

XML-RSig Node

The XML-RSig node holds the actual signature and signature meta-data. The signature is inserted as a child node. The signature meta-data is represented in attributes of the node. This node is declared in the XML-RSig namespace.

Attribute Description
lid The identifier of the LID Object that provides the credential, such as a digital signature.
lid-credtype The credential type, i.e. “gpg --clearsign�?
encoding The character set of the document. This value must be the same as the encoding of the XML document.

XML-RSig does not define a Service Type.

Multiple signatures

Multiple signatures, such as from multiple parties, of the same or different nodes in the XML document, are allowed.

The XML-RSig algorithm specifies that the RSig element must be the first child node of the signed node. If the second child node is also an RSig element, it is to be interpreted as having been constructed first; the first child node was then constructed by signing the resulting document, including the previously created RSig node and signature.

Implementations

A prototype implemention of XML-RSig is available at [1]. This is not quite conformant to the description above (specifically, the signing of RSig attributes i not (yet) implemented).

Retrieved from "http://lid.netmesh.org/wiki/XML-RSig"
Personal tools