28946 02 p507-532 r3kp -...
TRANSCRIPT
Index
507
S
.. XPath abbreviation, 113
. XPath abbreviation, 113–114// XPath abbreviation, 113@ XPath abbreviation, 113
AAbbreviated location paths, 108Absolute location paths, 107–108Absolute URIs, 204Abstract elements, 96Abstract types, 96Actor attribute, 150–151Actors, 150, 152–153Addison-Wesley Internet Web site, xviiiAddition (+) operator, 116Adjunct meaning, 472–473AES (Advanced Encryption Standard)
algorithms, 410AES (Advanced Encryption Standard), 18AES Key Wrap algorithms, 416–420AES-128 algorithm, 391AES-128 Key Wrap algorithm, 391AES-192 algorithm, 391AES-192 Key Wrap algorithm, 391AES-256 algorithm, 391AES-256 Key Wrap algorithm, 391Agreement data as content, 316AgreementMethod element, 296, 298, 308,
316–317, 366–367, 387, 395, 398–401,402–403
AgreementMethod algorithms, 214, 385AgreementMethod role element, 386Algorithm attribute, 383Algorithmic pseudo-random number
generators, 30Algorithmic roles, 385–394Algorithms, 213–214
AES (Advanced Encryption Standard), 410AES Key Wrap, 416–420applications, 385ARCFOUR, 411
Base-64 Decoding, 424–425block encryption, 408–410Canonical XML, 422–423canonicalization, 421–424CMS Key Checksum, 414Diffie-Hellman Key Agreement, 401–404DSA, 406–407encryption, 369Enveloped Signature Transform, 430Exclusive XML Canonicalization, 423explicit parameters, 383HMAC SHA-1, 405HMAC variations of, 406implicit inputs or parameters, 383key agreement, 398–404key transport, 412–414MAC (Message Authentication Code),
404–406MDS, 395–397message digest, 395–398Minimal Canonicalization, 423–424non-cryptographic, 421–433RIPEMD-160, 398RSA variations of, 408RSA Version 1.5, 412–413RSA-OAEP, 413–414RSA-SHA1, 407–408SHA versions of, 397–398SHA-1, 397signature, 406–408stream encryption, 410–411style of URIs, 385, 387symmetric key wrap, 414–420syntax, 383–384text-based canonicalization, 217transform, 424–433Triple DES, 409–410Triple DES Key Wrap, 415–416XML Schema Validation, 432–433XML-based canonicalization, 217XPath Filtering, 425–430
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 507
Algorithms (cont.)XPointer, 431–432XSLT Transform, 430–431
Algorithm-specific namespaces, 383Amount of processing, 473Amp (&) escape string, 53Ampersand (&) character (&), 42, 52–53,
63, 187Ancestor, 74ancestor:: axis, 109, 137ancestor-or-self:: axis, 109, 137And Boolean operator, 115Anonymous actor, 150Anonymous type, 94ANY content model, 75ANY keyword, 75anyAttribute element, 353anyType data type, 94, 271anyURI simpleType, 89Apache Web site, 438–439Apache Xalan package, 438–439Apex element, 150Apos (') escape string, 53Application-defined keys, 299Applications, 35
algorithms, 385context, 247digital signature algorithms, 252DTD elimination, 204equivalences and canonicalization, 201–202executable content, 252mapping parameter names into XML, 165PIs (processing instructions), 54–55processing instruction, 84retrieval method, 322XML Digital Signature standard, 422XML Encryption standard, 346
Arbitrary-length integers, 213, 302ARCFOUR algorithm, 391, 411Arithmetic algorithm division, 384Arithmetic operators, 116–117ASCII format, 462–463ASN.1 BER SHA1 algorithm designator prefix,
407–408Assures element, 254–256Asymmetric key ciphers, 19–20Asymmetric keys and authentication, 20–21attribute:: axis, 109, 137Attribute nodes, 104, 196–197
508 ❘ Index
SNL
attributeFormDefault attribute, 95Attribute-list declaration, 70Attributes, 47–48
alphabetic order, 194beginning name with letter, 82case of name, 82covering range, 138default, 184default values, 82–83DTDs (Document Type Definitions), 79–82end tags, 82fixed values, 83global, 92groups of, 94local, 92–93missing, 93name, 47null value, 93optional, 83ordering, 186qualifying names, 56, 58required, 83restricting value of, 80–81schemas, 91–95simpleType, 89SOAP, 149special, 48–50special properties, 69start tags, 79surrounding values with quotes, 82types, 79–81, 184unique values, 97unordered, 173value delimiters, 186–187value normalization, 183–184values, 47, 93white space between, 173xmlns: prefix, 57
Audio markup, 38Authentication, 8, 207
asymmetric keys, 20–21paper point of view, 476protocol point of view, 476–477
Authentication codes, 207AuthInfo element, 333Authorities, 124–126AuthServerInfo element, 332AuthServerInfoType element, 337–338AuthUserInfoType element, 336
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 508
Automatic transforms, 243–244Axis, 108
BBaltimore Technologies Web site, 439, 442Baltimore Technologies XMLDSIG product
Web site, 439Bare name XPointers, 242Bare names, 135Base URIs (Uniform Resource Identifiers),
130–132, 204Base64 algorithm, 394Base-64 Decoding algorithms, 424–425Base-64 encoded certificate revocation list, 310Base-64 encoded Key Material Packet, 314Base-64 encoded plain value, 309Base-64 Transform element, 425base64Binary simpleType, 89, 213BCP (Best Current Practice) standard, 461Berners-Lee, Tim, 453Big endian, 213Bignums, 213, 302Binary data, 60Binary ISO public key infrastructure items, 272Block encryption algorithms, 408–410Body element, 37, 70, 151Boolean functions, 121Boolean operators, 115–116Boolean() function, 114, 121Bottom attribute, 93Bottom-level user certificates, 24Boxing patents, 11Boyer, John, 170Browser-oriented processor, 40Browsers and semantic attacks, 126BSAFE Cert-J SDK Web site, 449Byte objects, xxi–xxii
CCandidate Recommendation, 454Canonical XML, 10, 169–170, 205, 218, 365,
421, 439ancestor environment characteristics, 197applying to node-set, 176comments, 230explicit interoperability testing, 437input/read rules, 182–184namespace declarations output, 189namespace nodes output, 198
Index ❘ 509
S
L
output/print rules, 184–188Unicode character normalization, 202UTF-8 character encoding, 185with and without comments, 192XML encryption, 178–180XPath expressions, 242
Canonical XML algorithms, 218, 388, 422–423Canonical XML and Exclusive Canonical XML
for Python Web site, 450Canonical XML for Perl Web site, 447Canonical XML interoperability matrix Web
site, 437Canonical XML with Comments algorithm, 388Canonicalization, 29, 477
alphabetic order for namespaces andattributes, 194
application equivalences, 201–202attribute and namespace ordering, 186attribute nodes, 196–197attribute types, 204attribute value delimiters, 186–187attribute value normalization, 183–184CDATA sections, 182–183character normalization, 202–203comment nodes, 199–200custom, 188, 201, 205definition of, 169digital signatures, 249do nothing, 218document encoding, 185document order, 193element nodes, 195–196empty elements, 186encryption, 421essential for digital signatures over XML,
171–178exclusive/inclusion of ancestor namespace
declarations, 205–206formal generative specification, 194–200inclusion of default attributes, 184inherited attribute and namespace
declaration rules, 188–190input/read rules, 182–184limitations, 200–206line breaks, 182minimal, 218namespace declaration inheritance and
superfluous declaration deletion,188–190
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 509
Canonicalization (cont.)namespace nodes, 197–198node-sets, 192–193normalizing namespace prefixes, 175notations, 85, 204operational nonequivalence, 203–204output/print rules, 184–188paper point of view, 475processing instruction nodes, 199protocol point of view, 475–476reference replacement, 182relative URIs, 204removing XML declaration and DTD, 182requirement for XML data, 178root node, 195signatures, 421SOAP, 260special characters in text output encoded,
187text nodes, 198–199transformative summary, 180–190unparsed external entities, 204well-formed XML, 194–195white space
in content, 187inside start and end tags, 187outside document, 185in processing instructions, 187
XML, 172–173xml namespace attributes, 188, 205–206XPath data model, 190–191XPath node, 192
Canonicalization algorithms, 421–424Canonicalization data model, 190–194Canonicalization of XML, 460CanonicalizationMethod algorithm, 213,
217, 393CanonicalizationMethod element, 216–219,
246, 247, 406, 421flexibility, 218P3P (Platform for Privacy Preferences), 258
CanonicalizationMethod role element, 386,387
Canonicalized Reference element, 248Canonicalized SignatureMethod, 247Canonicalized SignedInfo, 247Capslock Ubisecure Signature XMLDSIG
product Web site, 442Capslock Web site, 442
510 ❘ Index
SNL
Cardinality indicator characters, xxiCarriage return (xOD), 183Carriage return new line (xODxOA), 182CarriedKeyName element, 354–355, 364, 366Case sensitivity, 41CBC (Cipher Block Chaining) mode, 409CDATA sections, 50–51, 182–183CDATA type, 184
attributes, 80termination string, 50
ceiling() function, 122Certificate references, 285Certificates
assurance about public key, 22authenticating digital signature, 23chain of, 23containing validation key, 310date of issuance and expiration, 23hierarchical model, 23–24identity or access authorization, 23mesh model, 24OCSP (Online Certificate Status Protocols),
26–27PGP (Pretty Good Privacy), 25public key, 23revocation lists, 25–26status of, 314type supported, 331X.509, 25X.509v3, 25
CertificateValues element, 288–289, 291Certification authorities, 23Certs element, 275CGI (Common Gateway Interface) programs,
127Channels, 334Character content, 105–106Character data, 50–51, 80Character Map, 53Character normalization, 202–203Character references, 182–183Character sets, 52–53Character-point preceding node, 139Characters
alphabetic comparisons, 194appending to normalized value, 183
Checksum, 14child:: axis, 109, 137Child elements, 45, 78–79
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 510
Child sequence XPointers, 242Child sequences, 135Cipher text, 17
base-64 encoded octet, 350decryption, 410–411encryption, 410–411reference to external location, 350–352
CipherData elements, 348, 350–353, 359, 364,366–367, 414
CipherReference element, 344, 350–352,366–367, 393, 424
Ciphers, 17–18CipherValue element, 344, 350–351, 364,
366–367Circumflex (^), 132Clark, James, 35Client and server sample code (ASP .NET)
Web site, 447Clients
authorized to register key, 336data elements requested by, 327generating key pair, 332information about keys, 322validity of assertion, 324
CMS (Cryptographic Message Syntax) KeyChecksum, 414
CMS Key Checksum algorithms, 414CMS (Cryptographic Message Syntax) of
S/MIME, 412Collapsed ranges, 138Comment nodes, 107, 199–200::comment() node test, 111Comments, 51–52
Canonical XML, 230Exclusive XML Canonicalization, 230preserving, 190
CommitmentTypeId element, 280CommitmentTypeIndication element,
279–280CommitmentTypeQualifiers element, 280Compatibility between XML documents, 6CompleteCertificateRefs element, 284–285,
291CompleteRevocationRefs element, 285–287,
291Complex form digital signatures example,
237–239Complex protocol digital signature example,
234–236
Index ❘ 511
S
L
Complex types, deriving types from, 97complexType construct, 89complexType element, 90Concatenating strings, 119concat() function, 119Confidentiality, 9Construct, 90Container nodes, 136–137Containers, 136contains() function, 119Content, restricting, 94–95Content model elements, 74–77ContentTimeStamp element, 283–284Context, 114, 142Context node, 120Core meaning, 471, 472CounterSignature element, 277–278count() function, 117Covering range, 141CRL (certificate revocation lists), 26, 285CrlOcspRef element, 287CRLValues, 289–290Cryptographic algorithms and XKMS,
334–338Cryptography
asymmetric key ciphers, 19–20MACs (message authentication codes),
15–17message digests, 13–15public key ciphers, 19–20secret key ciphers, 17symmetric key ciphers, 17–18
CSS (Cascading Style Sheets), 64–65, 67Custom canonicalization, 188, 201, 205Customized markup languages, 35
DData
decrypting, 408–410digest of, 214–215digital signatures, 214–215encrypting, 361–362, 408–410information about, 215–216MIME type, 225–227multiple keys, 227SignatureMethod algorithms, 227specifying which is signed, 220–224standard form of, 169subset, 132
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 511
Data (cont.)transforms, 222type pointed to, 221–222verification has failed, 227
Data objects, 36Data structures, 40Data types
abstract, 96deriving from complex types, 97listing, 97restricting derivation, 97schemas, 89–90, 213specifications, 96XAdES signatures, 271–273
DataEncodingUnknown faults, 153DataObjectFormat element, 278–279DataReference elements, 356, 358dateTime simpleType, 89Decimal character references, 53Decrypt (Decryption Transform for XML
Signature), 10Decrypting
data, 408–410keys, 412symmetric keys, 414–420
Decryptioncipher text, 410–411Decryption Transform, 376–379in different environment, 179–180key for, 355–356obtaining keying material, 357–358post-decryption processing, 368pre-decryption processing, 367processing, 367processing flow, 365–368
Decryption Transform, 376–379Decryption Transform algorithm, 394Default
attributes, 184language, 48–49white space, 50
Default attribute, 93#DEFAULT value, 83Dereferencing URIs, 240–243DES (Data Encryption Standard), 18
See also Triple DES.Descendant, 74descendant:: axis, 109, 137descendant-or-self:: axis, 109, 137
512 ❘ Index
SNL
Detached encryption, 344Detached signatures, 209–210Detail element, 153Detail entries, 153DHKeyValue element, 301, 305–306, 308Diffie-Hellman algorithm, 387Diffie-Hellman Key Agreement algorithms,
401–404Diffie-Hellman public key, 305–306Digest algorithm, identifying, 222–223Digest of data, 214–215DigestAlg algorithm, 403, 404DigestMethod algorithm, 213DigestMethod element, 222–223, 239, 246,
248, 307, 374, 386–389, 395, 397, 403, 414Algorithm attribute, 413P3P (Platform for Privacy Preferences), 258
DigestValue element, 223, 239, 246, 248, 307,374, 396–397, 428
Digital signatures, 17, 21–22, 207algorithms, 213–214appropriate verification key, 225binary signature value, 224–225calculation of, 171canonicalization, 29, 171–178, 249combining with encryption, 371–379converting to sequence of octets, 216–219criticality flag, 229–230cryptographic parts, 228–230data, 214–215enveloped encryption, 27failure, 172generating, 246generation key, 207–211information presented to user, 250–251insecurity of, 172inside encryption, 29meaning, 208message digests, 21messages, 21multiple, 227on only what is seen, 250–251only what is signed is secure, 249outside encryption, 28–29Reference elements, 220–224relevant information, 228–230robust, 29secure, 29security, 248–252
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 512
signature attributes, 229SignatureValue element, 224–225SignedInfo element, 215–220signing encrypted data, 375SOAP Envelope, 261–262strength of, 251–252stringent canonicalization requirements,
130syntax, 211–230transforms, 248–251URI representation, 214validation, 264verification key, 207–211verifying, 216–220, 246–248, 247
Display agent, 39Distinguished name encoding, 311–312div operator, 116Do nothing canonicalization, 218DOCTYPE declaration, 63<!DOCTYPE> tag, 71, 72Document encoding, 185Document entity, 60Document order, 101, 139, 193Document Style Semantics and Specification
Language, 65Document-oriented digital signature
signature, 232–233Documents, 4, 36
See also XML documentsappearance of, 63–67describing structure, 70element containing all other elements, 42encoding, 185information about content, 71labels for content, 84–85nesting elements, 42quotes surrounding attribute values, 42root element, 70, 102root element name, 72selecting subsets, 193usable without DTD, 81well-formed, 40–42white space, 49white space outside, 185
DOM (Document Object Model), 104DOM data model, 191Domain names, 125DOMHASH, 191Done Information, 442
Index ❘ 513
S
L
Double apostrophe/double-quote ("), 53, 187Draft Standard, 461DSA algorithms, 406–407DSA (Digital Signature Algorithm) keys,
302–303DSA signature algorithm, 302–303DSA signatures, 300DSAKeyValue element, 213, 301–303, 308DSAwithSHA1 algorithm, 392ds:CryptoBinary simple type, 213ds:KeyInfo element, 348, 354–355, 357–358,
366ds:KeyName element, 354, 357, 363–364, 366ds:KeyRetrievalMethod element, 363ds:KeyValue element, 357ds:Reference element, 278, 352ds:RetrievalMethod element, 354, 355–356,
358, 363, 366DSTC (Distributed Systems Technology
Centre), 443DSTC Web site, 442–443DSTC XMLDSIG product Web site, 443ds:Type attribute, 278.dtd extension, 71DTDNotSupported faults, 153DTDs (Document Type Definitions), 6, 39,
42, 44–45basics, 70–71conditional sections, 73data types, 213declaring general entities, 61defining attributes, 79–82element type declarations, 73–79entity reference declarations, 82–84enumerated attribute type, 81–82external, 71–73format, 72general entity references, 83grouping elements, 74guidelines, 73importance in data exchange, 69importance of, 88internal, 71–72KeyInfo element, 297markup declarations, 71name of entity declared in, 80notation declarations, 84–85ordering child elements, 74parameter entities, 62, 83
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 513
DTDs (cont.)parameter entity reference declarations, 84signing, 69xml:lang attribute, 48SOAP messages, 147XPath, 102
EElement content, 299Element nodes, 103–104, 195–196Element type declarations, 70, 73–79Element wrapping, 227elementFormDefault attribute, 95Elements, 45–47
abstract, 96Algorithm attribute, 383ancestor, 74ANY content model, 75any valid character data, 76–77attributes, 47–48, 79–82change of context, 177–178changing enveloping context, 176containers as, 136content, 46, 73–74with content, 45content models, 74–77default attributes, 184descendant, 74empty, 76, 97, 186EMPTY content model, 76end tags, 45frequency indicators, 77–78grouping, 74, 77–78, 94hierarchy, 74ID of another, 80labeling, 81#PCDATA content model, 76–77local, 91locating, 135mixed content, 75, 76–77multiple attributes, 82multiple elements within, 77namespace nodes ordered alphabetically,
194with notation attribute, 84parent-child relationship, 74problems with reenveloping, 176qualified names, 56, 58relationships, 46, 74
514 ❘ Index
SNL
retaining comments while selecting, 242schemas, 91–95simple naming rules, 46, 47simpleType, 89specifications, 96start tags, 45structures, 74substituting, 97syntax, 73syntax for algorithm-specifying, 384types, 91unique ID, 80, 118unique values, 97values, 93XAdES signatures, 273–274xml:space attribute, 49–50
EME-OAEP-ENCODE function, 414EME-PKCS1-v1_5 function, 412EMPTY content model, 76Empty elements, 45, 76, 97, 186EMSA-PKCS1-V1_5-ENCODE function, 407EncapsulatedCRLValue element, 289EncapsulatedOCSPValue element, 289EncapsulatedPKIValueType data type, 272Encoded value of digest output, 223Encoding, 52–53Encoding attribute, 45Encoding declaration, 45encodingStyle attribute, 153, 159EncryptedData element, 295, 343–344, 346,
350, 352–354, 356–358, 361–362, 364,367–368, 372, 375, 377–378, 399, 408,410, 412
EncryptedKey element, 295–296, 298, 306,316–317, 343, 350, 354–358, 366–368,379, 400, 412, 414
CarriedKeyName attribute, 308information concerning generation, 352referenced, 363–364
EncryptedKey elements, 362EncryptedType type, 347–349Encrypting
arbitrary data, 344, 361–362data, 408–410keys, 412symmetric keys, 414–420XML element content, 360–361XML elements, 359XML in place, 344
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 514
Encryption, 9, 477Canonical XML and, 178–180canonicalization, 29, 421care with algorithms and expressions, 369cipher text, 410–411combining with digital signatures, 371–379decryption in different environment,
179–180detached, 344encrypted data, 353enveloping, 344examples, 358–364identifying referent’s type, 354–356information revealed, 369as new document root, 353paper point of view, 478plain text before, 348post-encryption processing, 366–367pre-encryption processing, 365private keys, 299processing, 365–366processing flow, 365–368protocol point of view, 478referencing, 344security considerations, 368–369of signed data and signature, 372–373of signed data but not signature, 374signing encrypted data, 375super-encryption, 362–363transporting encryption keys, 354–356triple DES, 409user-readable name with key value, 354–355XML, 368
Encryption algorithm, 348–349Encryption key
information about, 348pointers to data and keys encrypted, 354pointers to items encrypted by, 356–357recipient, 355transporting, 354–356type, 355
EncryptionAlg algorithm, 403EncryptionMethod algorithm, 214, 364EncryptionMethod algorithm role, 389EncryptionMethod element, 348–349, 367,
386, 395, 399, 408, 410–412, 414–415EncryptionProperties element, 348, 352–353End tags, 45, 82end-point() function, 140–141
Index ❘ 515
S
L
Entities, 43, 60–62, 82declaring in DTD, 80values of, 69
ENTITIES attributes, 80ENTITIES type, 204ENTITY attributes, 80<!ENTITY> declaration, 83Entity declaration, 70ENTITY declarations, 212Entity reference declarations, 82–84Entity references, 61, 63, 182–183ENTITY type, 204Entrust Web site, 443Entrust/Toolkit for Java Web site, 443Enumerated attribute type, 81–82ENUMERATED attributes, 80env namespace prefix, 164env:DataEncodingUnknown Fault, 164Envelope element, 155–158Enveloped encryption, 18, 20, 27–29, 306Enveloped Signature algorithm, 394Enveloped Signature Transform algorithms,
430Enveloped signatures, 209–210EnvelopedSignature transform, 427Enveloping encryption, 344Enveloping signatures, 209–210env:Server Fault, 164equality (=) Boolean operator, 115Escaped characters, 80ETSI (European Telecommunications
Standards Institute), 263–264Except element, 377Exclusive XML Canonicalization, 169–170,
171, 178, 205, 421comments, 230explicit interoperability testing, 437input/read rules, 182–184namespace nodes output, 198namespace prefixes treated inclusively, 190output namespace declarations, 189–190output/print rules, 184–188serializing attributes, 188
Exclusive XML Canonicalization algorithms,218, 388, 423
Exclusive XML Canonicalization interoper-ability matrix Web site, 438
Exclusive XML Canonicalization interoper-ability page, 442
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 515
Exclusive XML Canonicalization test vectorsWeb site, 445
Exclusive XML Canonicalization withComments algorithm, 388
Explicit transforms, 243Expressions, 112–113
context size, 118encryption, 369functions, 114–115operators, 115–117XPointer, 134
Extensibility of processing, 474External DTDs (Document Type Definitions),
42, 45, 71–73External entities, 61–62
Ffalse() function, 121Fault element, 152–155Fault schemas, 155–158faultactor element, 152–153faultcode element, 153faultstring element, 152FIPS (Federal Information Processing
Standards), 465, 466–467FIPS home page, 466Firewalls and HTTP (Hypertext Transfer
Protocol) binding, 161Fixed attribute, 93#FIXED value, 83floor() function, 122following:: axis, 109following-sibling:: axis, 109, 137Forward axis, 112Frequency indicators, 77–78Fujitsu Web site, 443–444Fujitsu XMLDSIG products Web site, 444Full XPointer, 133–134Function library for XPath, 117–122Functions, 114–115
XPointer, 140–143
GGapXse Web site, 444General entities, 61–62, 82–83Generic URIs (Uniform Resource Identifiers),
124Geuer-Pollmann, Christian, 439GI (generic identifier), 45
516 ❘ Index
SNL
Global attributes, 92, 147Global elements, 91Greater than (>)
See also Right angle bracket.Grouping elements, 77–78Groups, complicated restrictions, 97> > escape string, 53
HHashDataInfos element, 273Header blocks, 154Header element, 151here() function, 141, 428, 429Hexadecimal character references, 53Historic standard, 461HMAC algorithm, 404HMAC SHA-1 algorithm, 392, 405HMAC variations of algorithms, 406HMAC-MD5 algorithm, 392HMACOutputLength element, 405HMAC-RIPEMD160 algorithm, 392HMAC-SHA256 algorithm, 392HMAC-SHA384 algorithm, 392HMAC-SHA512 algorithm, 392Horizontal tab (xO9) appending space
character, 183Hosts and authorities, 124HP Web Services Platform 2.0 Web site, 444HP Web Services Web site, 444href attribute, 147HTML (Hypertext Markup Language), 3–5HTML documents compared with XML
documents, 37HTTP (Hypertext Transfer Protocol),
160–162http://www.w3.org/2000/09/xmldsig#
namespace, 213http://www.w3.org/2001/12/soap-encoding
encoding, 159Hughes, Merlin, 439, 442
IIAB (Internet Architecture Board), 459IAIK (Institute for Applied Information
Processing and Communications) Website, 445
IANA (Internet Assigned Numbers Authority),49
IBM security suite Web site, 446
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 516
IBM Web site, 445–450ID attribute, 80, 81id attribute, 147ID simpleType, 89id() function, 117, 118, 204IDREF attributes, 80IDREF simpleType, 89IDREFS attributes, 80IESG (Internet Engineering Steering Group),
459IETF (Internet Engineering Task Force), 10,
25, 459–460IETF protocols, 479IETF tags, 49IGNORE keyword, 73#IMPLIED value, 83in-band key distribution, 316–317INCLUDE keyword, 73Independent parallel signatures, 278Index, 136Inequality (!=) Boolean operator, 115Infomosaic Web site, 446Information, describing structure, 88Inherited attribute and namespace declaration
rules, 188–190INRIA (Institut National de Recherche en
Informatique et Automatique), 453Integer simpleType, 89Integers, 213Intermediate-level certification authority, 25Internal DTDs (Document Type Definitions),
71–72Internal entities, 61–62Internal General Entity Reference
Declarations, 83Internet Explorer semantic attacks, 126Internet protocols, 125Internet RFC 1766, 36Internet Standard, 461IOTP, 191IPSEC (IP Security), 9, 334IPv4 (Internet Protocol), 125IPv6, 125ISO 639, 36ISO 3166, 36ISO 10646, 52ISO characters, 52ISOC (Internet Society), 459IssuerTrust aspect string, 329
Index ❘ 517
S
L
IV (initialization vector), 409IXSIL (IAIK XML Signature Library), 445
JJava implementation of XMLDSIG Web site,
446Java XKMS reference implementation
Web site, 443Java-based XML processor, 40JDSS II, 446
KKA-Nonce element, 399, 403Karlinger, Gregor, 439, 445Keio University of Japan (Shonan Fujisawa
Campus), 453Kerberos, 18Key agreement algorithms, 398–404Key binding
information associated with, 325registered by service, 334registration, 331status, 328XML digital signature, 337
Key Information Services, 319, 321–327Key pair, clients or servers generating, 332Key recovery, 331Key registration messages, 331–334Key Registration Service, 319Key revocation, 331Key rollover, 30–31Key transport algorithms, 412–414Key wrapping, 416–420KeyBinding element, 331, 333–336KeyBindingAuth element, 336, 337Keyed hash authentication codes, 251KeyID, 324KeyInfo element, 225, 247, 275, 293, 295, 310,
344, 367, 387, 399–400, 412, 414child elements, 295, 297–299DTDs (Document Type Definitions), 297information stored at another location,
306–308namespace prefixes, 296schema notation, 296syntax, 296–297
KeyInfo formats, 259KeyInfo type element algorithm, 214KeyName element, 298, 308–309, 311, 367
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 517
KeyName string, 330KeyReference elements, 357, 358Keys
algorithm invocation, 308certificates containing validation key, 310client authorized to register, 336decrypting, 412elements desired in response, 329encrypted by another key, 306encrypting, 412helping recipient choose, 309–314identifying to recipient, 308–309information concerning, 322KeyID, 324PGP public key pairs and signatures,
314–315randomness, 29–30registration of server generated, 337–338registration of user-generated, 336–337result codes, 328results of validation, 327shared secret data, 335–336status of assertion, 328types of usage, 325URI identifier, 324–325valid or indeterminate status, 328–329validity, 322
KeySize element, 349, 399, 403KeyValue element, 298KeyValue string, 330
Llang() function, 121Language, default, 48–49Language tags, 121last() function, 118#PCDATA content model, 76–77Left angle bracket (<), 42, 52–53, 63, 187Legal characters, 52Less than (<), 42, 52–53, 63, 187Line breaks, 182–183Line separator character, 44List types, 97Literal prefix names, 100Local attributes, 92–93Local elements, 91local-name() function, 118Locate Service, 322–324Location paths, 107–112
518 ❘ Index
SNL
Location points, 140–141Location steps
axis, 108, 109–110node tests, 108, 110predicates, 108, 110–112
Locations, 135–136, 140, 142Location-sets, 135–136, 140
selecting points from, 137with single member, 141string value of items, 142–143
Logical assertion markup, 38Logical structure, 43
attributes, 47–48CDATA sections, 50–51character sets, 52–53comments, 51–52elements, 45–47encoding, 52–53PIs (processing instructions), 54–55special attributes, 48–50XML declarations, 44–45
Lower-level certification authorities, 24< < escape string, 53
MMAC (Message Authentication Code)
algorithms, 404–406MAC (hash) function output value, 325Machine validation of document structure, 88MACs (message authentication codes), 15–17mailto: scheme, 127Manifest element, 221, 227–228, 245–246, 376Markup, 4, 43Markup declarations, 70–71Markup languages, 35Markup tags, creation of, 6–7MD5 algorithms, 390, 395–397Message digest algorithms, 29, 385, 395–398Message digests, 13–15, 21Messages
converting to fixed-length binaryfingerprints, 13
digital signatures, 21MGF1 function, 414MgmtData element, 298, 316–317MgmtData string, 330Microsoft Web site, 447Middle attribute, 93MIME type of encrypted data, 348
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 518
Minimal Canonicalization, 172, 218, 423–424Minimal Canonicalization algorithms, 388,
423–424Misunderstood element, 154MIT/LCS (Massachusetts Institute of
Technology’s Laboratory for ComputerScience), 453
mod operator, 116Moving resources, 128Multiple string, 330mustUnderstand attribute, 148, 150–151, 154MustUnderstand fault, 147–148, 152–155
NName attribute, 91Name tokens, 81name() function, 118, 190Names
colon (:) in, 57prohibiting from starting with numbers, 47
Names entities content, 63namespace:: axis, 109, 137Namespace attribute, 94–95, 96Namespace identifier, 147Namespace nodes, 104–105
canonicalization, 197–198covering range, 138
Namespaced references to profiles, 175Namespace-qualified name, 153Namespaces, 55
algorithm-specific, 383allowable, 94–95alphabetic order, 194binding, 200classes of namespaces, 94colon (:) reserved for, 47declaration inheritance, 188–190declarations, 57–58explicitly matching prefix names, 175guidelines, 59inclusion/exclusion of ancestor declarations,
205–206inputting components from other, 96local elements and attributes, 95ordering, 186prefix declaration affecting all child nodes,
174–175prefixes, 56, 58–59problems with, 174–178
Index ❘ 519
S
L
qualified names, 58qualifying all global elements and attributes,
95relative URIs, 205schemas, 89, 95–96SOAP, 147superfluous declaration deletion, 188–190uniqueness, 57URIs (Uniform Resource Identifiers), 59XML, 37
namespace-uri() function, 119NBS (National Bureau of Standards), 465::NCName:* node test, 111NDATA keyword, 62NEC Web site, 447–448Netscape Navigator
random number generator for SSL keys, 30semantic attacks, 126
New line (xOA) appending space character,182–183
Nillable elements, 97NIST (U.S. National Institute of Science and
Technology), 465–466NMTOKEN attributes, 80–81NMTOKENS attribute, 81NMTOKENS simpleType, 89Node test (::*), 111Node tests, 108, 110, 138::node() node test, 111Node-point, 136, 139Nodes, 140
actors, 150covering range, 138–139document order, 101, 139name with namespace prefix, 190number in parameter, 117
Node-sets, 107, 140, 190, 192, 378–379, 426document order, 193functions, 117–119operators, 115same-document URI references, 241union of, 115unordered, 193XML canonicalization, 241–242
Non-cryptographic algorithms, 421–433none actor, 150Non-null URIs, 242–243Nonvalidating parser/processors, 39–40normalize-space() function, 119
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 519
NOTATION attribute, 81NOTATION declarations, 54, 204Notation declarations, 70, 84–85Notations
canonicalization, 204names of, 81, 84problems with canonicalization, 85
Note, 454not() function, 121Null URIs, 242Number element, 361Number functions, 122number() function, 114, 122Numeric character references, 53Numeric IPv6 addresses, 125
OOAEP (Optimal Asymmetric Encryption
Padding), 413OAEP encryption algorithms, 385OAEPparams element, 413, 414OASIS (Organization for the Advancement of
Structured Information Standards)consortium, 11
Object element, 225–227, 265ObjectIdentifierType data type, 271–272ObjectReference attribute, 279Objects, converting to strings, 120OCSP (Online Certificate Status Protocols),
26–27, 285OCSP string, 330OCSP (Online Certificate Status Protocol)
tokens, 314OCSPValues (OCSP Responses), 289–290Octothorpe (#), 129OIDs (object identifiers), 271Opera browser and semantic attacks, 126Operational nonequivalence, 203–204Operators, 115–117Or Boolean operator, 115origin() function, 141OSI X.500 Directory standard, 25Output/print rules, 184–188Overall system security, 32
Pp (prefix) entity, 212P3P (Platform for Personal Privacy
Protection), 453
520 ❘ Index
SNL
P3P (Platform for Privacy Preferences),253
Assures element, 254–256CanonicalizationMethod, 258DigestMethod, 258KeyInfo formats, 259limitations, 258–259SignatureMethod algorithms, 258transforms, 259XMLDSIG links to semantics, 254–255XMLDSIG use, 257–258
P3P policy, 254Padding algorithm, 409Padding method, 385Paper point of view, 469–470, 480
adjunct meaning, 472amount of processing, 473authentication, 476canonicalization, 475core meaning, 471encryption, 478extensibility of processing, 474granularity of processing, 473unique internal labels, 478
Parameter entities, 61–62, 83Parameter entity reference declarations, 84Parameter node-set, 118–119Parameters, 117, 121parent:: axis, 110, 137Parent element, 45Parsed data, 43Parser/processors
information about document content, 71nonvalidating, 39–40protecting information from, 50UTF-8, 45UTF-16, 45validating, 39–40XML, 45
Pass phrase, 335PassPhraseAuth element, 336, 337Patents, 11Paths and URIs (Uniform Resource
Identifiers), 126–127Payment element, 359PCDATA, 50Percent sign (%), 129Personnel security, 31, 32PGP (Pretty Good Privacy), 9, 25
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 520
PGP public key identifier, 314PGP string, 330PGPData element, 298, 314–315PGPKeyID element, 314PGPKeyPacket element, 314PGPWeb string, 330Phaos for XMLDSIG, XML Canonicalization,
and XML Encryption Web site, 448Phaos Technology Web site, 448Physical randomness, 30Physical security, 31, 32Physical structure, 60–63PICS (Platform or Internet Content Selection),
453PIs (processing instructions), 54–55PKCS #7 signedData structure, 313–314PKCS7signedData element, 308, 310,
313–314PKCS#1 specification, 406Plain text, 17Plain text, limited-use, shared secret pass
phrase, 335Plain text types, 349Point location extension:, 136–137Point type, 136–137Pointers, 127Points
covering range, 138document order, 139index, 136for locations, 142preceding node, 139
Point-to-point security, 9position() function, 119Post-decryption processing, 368Post-encryption processing, 366–367Pound sign (#)
See also OctothorpePouliot, Sebastien, 448Poupou, 448preceding:: axis, 110Preceding node, 139preceding-sibling:: axis, 110, 137Pre-decryption processing, 367Predefined entity references, 42Pre-defined simpleType construct, 89Predicates, 108, 110–112Pre-encryption processing, 365Prefixes, reserved, 58
Index ❘ 521
S
L
Privacy policies, 254–259Private element, 334Private key element, 329Private keys, 251
compromised, 25–26encryption, 299parameters generated by registration
service, 334process to release to, 331XML digital signatures, 299
Private string, 330Procedural security, 31processContents attribute, 94Processing instruction nodes, 106, 199Processing Instructions and SOAP messages,
146::processing-instruction (Literal) node test,
111Prolog, 37, 70ProofOf Possession element, 336, 337Proposed Recommendations, 454, 455Proposed Standard, 461Protocol point of view, 469–470, 480
adjunct meaning, 472–473amount of processing, 473authentication, 476–477canonicalization, 475–476core meaning, 472encryption, 478extensibility of processing, 474granularity of processing, 473–474unique internal labels, 478–479
Public identifier, 62Public key algorithms, 21Public key authentication and digital
signatures, 21–22Public key ciphers, 19–20Public key encryption systems, 27Public key infrastructure, 331Public key signature algorithm, 385Public keys, 251, 331
authenticating, 335–336binding between data elements, 325–326certificates, 23queries, 322–323rollover, 30–31root, 23secret quantity shared between sender and
recipient, 398
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 521
Public keys (cont.)top-level, 23value of, 299–306
Public/private key pair, 332
Qqname attribute, 154::QName node test, 111Qualified names, 58Queries and public key, 322–323
RRadioactive decay, 30Random number generation, 30Randomness, 29–30Range location extension:, 137–138range() function, 141range-inside() function, 141Ranges, 137–139, 141range-to() function, 142RC4 algorithm, 411Reagle, Joseph, 450Receiver faults, 153RecipientKeyInfo element, 398Recommendations, 454Ref attribute, 91, 94Reference element, 214, 220–224, 245–246,
260, 297, 299, 307, 374, 376, 393, 396, 424dereferencing URIs, 240–243validating, 246
ReferenceList element, 351, 354, 356–357, 364References
generation, 245–246same-document, 241–242verification, 247–248
Referencing encryption, 344Register element, 332–333Relative location paths, 107Relative URIs (Uniform Resource Identifiers),
127–128, 130base URI for, 131–132canonicalization, 204as namespaces, 205
Request message, 326–327, 332–333#REQUIRED value, 83Required-SOAPAction HTTP Header, 162Reserved prefixes, 58Resource-constrained applications, 217Resources, 128
522 ❘ Index
SNL
Respond element, 333Response message, 327, 333–334Restricting content, 94–95Result tree, 65–66RetrievalMethod element, 297–299, 306–308,
367, 386, 393, 424RetrievalMethod string, 330Reverse axis, 112RevocationValues element, 289–290, 291RFC Editor Web site, 462RFCs (Requests for Comments), 459
access to, 461–462ASCII format, 462–463BCP (Best Current Practice) standard, 461Draft Standard, 461Experimental status, 460format to, 462–463Historic standard, 461Informational status, 460Internet Standard, 461Proposed Standard, 461
Right angle bracket (>), 52–53Rijndael, 18RIPEMD-160, 389RIPEMD-160 algorithms, 390, 398Root elements, 45, 75, 102Root node, 101–103
canonicalization, 195containers as, 136covering range, 138multiple child elements, 136processing child nodes in document order,
195Root public keys, 23round() function, 122rpc namespace prefix, 164rpc:BadArguments Fault, 164rpc:ProcedureNotPresent Fault, 164RPCs (Remote Procedure Calls)
Faults, 164information required, 163schemas, 164SOAP, 162–166
RSA (Rivest-Shamir-Adelman) algorithm, 304RSA key pairs, 338RSA keys, 304RSA Security Web site, 449RSA signatures, 300RSA variations of algorithms, 408
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 522
RSA Version 1.5 algorithms, 412–413RSAES-PKCS1-v1_5 algorithm, 412RSAKeyValue element, 301, 304, 308RSAKeyValue value, 213RSA-OAEP, 413RSA-OAEP algorithms, 391, 413–414RSA-SHA1 algorithms, 407–408RSASSA-PKCS1-v1_5 encoding/padding
algorithm, 407RSA-v1.5 algorithm, 391RSAwithMD5 algorithm, 392RSAwithRIPEMD160 algorithm, 392RSAwithSHA1 algorithm, 392RSAwithSHA256 algorithm, 392RSAwithSHA384 algorithm, 392RSAwithSHA512 algorithm, 392
Ss (suffix) entity, 212Salz, Richard, 450Same-document references, 241Same-document XPointers, 242SAML (Security Assertion Markup Language),
11Sanin, Aleksey, 451Schema algorithm, 394Schema element, 89Schema validation transform, 432schemaLocation attribute, 96Schemas, 39, 69, 87
abstractness, 96advantages, 87annotations, 96anyType type, 94construct, 90content from different files, 95data types, 213default attribute, 93disadvantages, 87–88elements and attributes, 91–95fault, 155–158fixed attribute, 93global attributes, 92instance of, 88in instances, 97local attributes, 92–93namespaces, 89, 95–96overview, 88–89RPCs (Remote Procedure Calls), 164
Index ❘ 523
S
L
simpleType construct, 89–90types, 89–90validation, 432–438
Schemes and registry, 124Secret key ciphers, 17Secret key in MACs (message authentication
codes), 15Secure symmetric authentication algorithms,
371Secure symmetric encryption algorithms, 371Secure Telnet, 31–32Secure XML Verify() Web service Web site, 446Security, 6
actively monitoring for intrusion orcompromise, 32
authentication, 8confidentiality, 9cryptographic algorithms or formats, 32difficulty of forging signatures, 251–252encryption, 9, 368–369key rollover, 30–31non-XML mechanisms, 9by obscurity, 32overall system, 32personnel, 31, 32physical, 31, 32point-to-point, 9procedural, 31proper canonicalization, 32randomness generation, 32secrecy of symmetric and private keys, 32signatures, 248–252stylesheets, 64
Security HMAC, 15self:: axis, 110, 112, 137Sender faults, 153Sequence of octets, 190Server-generated keys, registration, 337–338Servers
generating key pair, 332trusted relationship with, 319
SGML (Standard Generalized MarkupLanguage), 3, 35
SGML Editorial Review Board, 4SHA versions of algorithms, 397–398SHA-1 algorithms, 390, 397SHA-256 algorithm, 390, 397SHA384, 389SHA-384 algorithm, 390, 397
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 523
SHA512, 389SHA-512 algorithm, 390, 397Shared secret data, 335–336Siggen Web site, 449Signature algorithms, 216, 251, 406–408Signature applications and Canonicalization-
Method algorithms, 217Signature aspect string, 329Signature element, 215, 227, 245, 351, 372,
374, 379, 387, 399–400, 428, 430algorithms, 213–214detached, 257enclosing policy, 258failure to verify, 247putting data inside, 225–227SOAP, 259steps required to produce and verify,
245–248syntax, 215
Signature generation, 245–246, 246Signature strength, 251–252Signature test vectors Web site, 445Signature verification, 246–248Signature verifier, 22SignatureMethod algorithm role, 389SignatureMethod algorithms, 213, 216, 227, 258SignatureMethod elements, 214, 219–220,
246–247, 395, 399, 405–407SignatureMethod role element, 386SignaturePolicyIdentifier element, 275–277SignatureProperties element, 227, 228–230, 254SignatureProperty element, 254Signatures, 207
binary format in PGP, 208binary format in PKCS#7, 208canonicalization, 421detached, 209–210difficulty in forging, 251–252enveloped, 209–210enveloping, 209–210independent parallel, 278new format for, 208–209security, 248–252XML syntax, 208–209
SignatureTimestamp element, 284, 291SignatureValue element, 214, 224–225, 247,
405–408, 428SignedDataObjectProperties element, 268,
269–270
524 ❘ Index
SNL
SignedInfo element, 214–220, 246–248,295, 376, 387
SignedProperties element, 265, 268SignedSignatureProperties element, 268, 269SignedSignatureProperty element, 279, 281SignerContactInfo element, 281–282SignerRole element, 282–283Signing encrypted data, 375SigningCertificate element, 274–275SigningTime element, 274SigPolicyID element, 276SigPolicyQualifier element, 276Simple protocol digital signature example,
230–232Simple XML, 55simpleType construct, 89–90SimpleTypes, 89Single apostrophe/single-quote (‘), 53Single-Request-Response TMEP, 160Skeletal XML, xxiS/MIME (Secure Multipurpose Internet Mail
Extensions), 9SML compatibility with SGML, 6SMTP default port number, 160SOAP, 145, 253
application signature profile rules andrecommendations, 260–261
application/soap MIME type, 162attributes, 149basics, 145–147Blocks, 150Body Block, 163Canonicalization, 260encoding, 158–159encoding schema, 481–494Envelope element, 155–158envelope syntax, 147envelope version change, 154fault schemas, 155–158faults, 152–155features included and excluded, 146global attributes, 147HTTP (Hypertext Transfer Protocol)
binding, 161–162HTTP RPCs (Remote Procedure Calls),
163–164http://www.w3.org/2001/12/soap-encoding
encoding, 159MustUnderstand Fault, 147, 152
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 524
namespace identifier, 147namespaces, 147nodes, 148refinement of, 10relation to XML, 146–147Required-SOAPAction HTTP Header, 162RPCs (Remote Procedure Calls), 162–166signature blocks, 260Signature element, 259single request-response TMEP, 161SOAPAction: HTTP Header, 162transport message exchange patterns, 160Upgrade element, 147VersionMismatch Fault, 148, 154XKMS, 320, 324XMLDSIG, 259–262XPath, 261
SOAP applications and SOAP messages, 260SOAP Envelope and digital signatures, 261–262SOAP Envelope element, 260SOAP messages
Body element, 148, 149, 151DTDs (Document Type Definitions), 147elements and attributes are namespace
qualified, 146Header Blocks, 152Header element, 148, 149, 151optimizing processing, 162procedure call request, 163Processing Instructions, 146restrictions, 146–147schema processing, 147SOAP applications, 260SOAP Blocks, 150stopping processing, 152transport protocol, 160XML digital signatures, 259
SOAP nodes, 150, 152SOAPAction: HTTP Header, 162Soap-envelope namespace, 150Sound and XML (Extensible Markup
Language), 38Sound markup, 38Source tree, 65, 66Space (x20) appending space character, 183Special character strings, 52–53Special characters, 182–183, 187SPKI (Simplified Public Key Infrastructure)
certification system, 25
Index ❘ 525
S
L
SPKI public key pairs, 315–316SPKI string, 330SPKIData element, 298, 315–316SPKISexp element, 315Square brackets ([]), 129SSL (Secure Sockets Layer), 9SSN element, 361Standalone attribute, 45Standalone document declaration, 45Standardized, well-formed HTML, 5Start tags, 45
attributes, 47–48, 79empty element tags, 79white space between attributes, 173
start-point() function, 142starts-with() function, 119Status aspect string, 329Stream encryption algorithms, 410–411String functions, 119–120string() function, 114, 120string-length() function, 120string-range() function, 142Strings, 89, 119–120Stylesheets, 39, 63
CSS (Cascading Style Sheets), 64–65security, 64XSL (Extensible Stylesheet Language),
65–66Subdocuments, 99Subset data, 132substring-after() function, 120substring-before() function, 120substring() function, 120Substrings, 119, 120subtraction (-) operator, 116–117sum() function, 122Super-encryption, 362–363Symmetric cipher, 27Symmetric key ciphers, 17–18Symmetric key wrap algorithms, 414–420Symmetric keys, 414–420Symmetric secret key authentication, 207System identifier, 62SYSTEM keyword, 72, 73
TTags, 36, 38targetNamespace namespace, 95TCP (Transmission Control Protocol), 126
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 525
Test vectors for XMLDSIG Web site, 450Text, 60
normalized or standardized, 171white space added to, 174XML documents, 38
Text canonicalization, 217Text nodes, 105–106, 198–199Text-based canonicalization algorithms, 217Textual objects as well-formed XML
document, 40–41Thermal noise, 30Timestamp Authority, 272–273Timestamps, 272–274TimeStampType data type, 272–273T.J. Mather Web site, 447TLS (Transport Layer Security), 9, 334TMEP (Transport Message Exchange Pattern)
model, 160Tokens, 135
allowed characters, 44list of, 80
Top element, 93Top-level certification authorities, 23–24Top-level public keys, 23Transform algorithms, 213–214, 239, 393,
424–433Transform element, 377, 386, 421, 424,
430–431Transform role in canonicalization algorithms,
387Transforms, 222, 245–246
automatic, 243–244data pipeline, 243–244digital signatures, 248–251element syntax, 244–245explicit, 243P3P (Platform for Privacy Preferences), 259XPath, 239–245XPath evaluation, 427XPath input, 426XPath output, 426–427
Transforms element, 222, 351, 357, 367, 393,424
translate() function, 120Tree transformation, 65–66Triple DES, 18Triple DES algorithms, 409–410Triple DES Key Wrap algorithm, 391, 415–416TRIPLEDES algorithm, 391
526 ❘ Index
SNL
true() function, 121TSP (Trusted Service Provider), 290Type attribute, 91Type URIs, 299
UUnicode, 38Unicode and ISO/IEC 10646, 36Unicode characters, 43, 129Unicode Normalization Form C, 202Union types, 97Unique internal labels, 478–479Unparsed data, 43Unparsed entities, 62, 84Unparsed external entities, 204UnsignedDataObjectProperties element, 268,
271UnsignedProperties element, 265–266,
268–269UnsignedSignatureProperties element,
267–268, 270Upgrade element, 147, 154URIs (Uniform Resource Identifiers), 56–57,
123, 245ASCII characters, 128, 129authorities, 124–126base, 130–132dereferencing, 240–243disallowed characters, 129domain names, 125encoding, 128–130encoding rules, 130fragment specifiers, 128host specification, 125hosts, 124most restrictive to most general, 159most specific, 221namespaces, 59non-null, 242–243numeric address, 125other references, 242–243paths, 126–127query component, 127reference ending with fragment specifier,
242references, 128relative, 127–128, 130representation in digital signatures, 214retrieving document or page, 127–128
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 526
same-document references, 241–242schemes, 124sequence of octets, 129styles for algorithms, 385, 387syntax, 124–127Unicode characters, 129XPointers, 132
URLs (Uniform Resource Locators), 123URNs (Uniform Resource Names), 123U.S. Digital Signature Algorithm, 303
See also DSA.Use attribute, 93User-generated keys registration, 336–337UTF-8, 45
character encoding, 185encoding, 52
UTF-16, 45character encoding, 185encoding, 52
VValid XML documents, 39, 42–43Validate element, 326–327Validate Service, 322, 324–327ValidateResponse message, 327Validating parser/processors, 39–40ValidityInterval aspect string, 329Values, selecting value from, 80Variables and entities, 82Verification in canonicalization, 29Verification key, 247Verisign, Inc. X.509v3 certificates, 26Verisign Web site, 449–450Verisign XKMS Java toolkit/SDK Web site,
449–450Verisign XML Signature Java SDK Web site,
449VersionMismatch Fault, 148, 153, 154Vertical bar character (|), 115Video and XML (Extensible Markup
Language), 38VXML (Voice Extensible Markup Language), 8
WW3C (World Wide Web Consortium), 4,
453, 460W3C Core XML Group, 170W3C documents, 454–456W3C Schema Recommendation language, 88
Index ❘ 527
S
L
W3C software disclaimer, 456–458W3C Web site, 450W3C Web site Technical Reports page, 454Web pages, 5, 127Web sites, standard format for privacy policies,
254–259WebSig Web site, 450Wedgetail product Web site, 451Wedgetail Web site, 450–451Well-formed documents, 40–42Well-formed XML documents, 39, 71White space, 49
added inside element, 174added to actual text content, 174between attributes in start tag, 173in content, 187default, 50inside start and end tags, 173, 187outside documents, 185preserving, 82problems, 173–174processing between CDATA and non-
CDATA attributes, 184in processing instructions, 187
White space characters, 183Windows machine Character Map, 53Working Draft, 454World Wide Web interoperable specifications
for content, 4
XX.500 identities, 25X.506v3 Certificate standard, 479X.509 certificates, 25X.509 CRL (certificate revocation list)
structure, 26X509 distinguished names, 311–312X.509 issuer, 309X.509 subject distinguished name, 309X509 V.3 certificate, 309X509 V.3-SubjectKeyIdentifier extension, 309X509Cert string, 330X509Certificate element, 309X509Chain string, 330X509CRL element, 310X509CRL string, 330X509Data element, 275, 298, 309–314X509IssuerName element, 311X509IssuerSerial element, 275, 309, 310
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 527
X509SKI element, 309, 310X509SubjectName element, 309–311X.509v3 certificates, 25–26X.509v3 mesh certificates, 25XACML (eXtensible Access Control Markup
Language), 11XAdES (XML Advanced Electronic Signature),
10, 264, 265XAdES signatures, 263–264
accessible validation data, 284–285certificate chain references, 284collecting certificates for, 288–289creation and validation rules, 275–277CRLValues (certificate revocation lists),
289–290data countersigned by appropriate entities,
277–278data types, 271–273elements, 273–274format types, 278–279independent parallel, 278information about signer, 281–282levels, 264OCSPValues (OCSP Responses), 289–290revocation information, 284–287, 289–290securing archival signatures, 290–291SignedProperties element, 268signer’s role, 282–283single signed data item format, 278–279source of signer identity, 274–275syntax basics, 268–273timestamp, 274timestamp before signing, 283–284timestamp certificates and revocation
information, 287–288timestamp over, 284UnsignedProperties element, 268validation, 284–291what signers have bound themselves to,
279–280XAdES (XML Advanced Electronic
Signature), 264, 265XAdES-A (XAdES-XL with one or more
embedded archival time stamps), 264, 268XAdES-C (XAdES-T with complete
validation data references), 264, 266XAdES-T (XAdES with additional time
stamp), 264, 266
528 ❘ Index
SNL
XAdES-X (XAdES-C with extendedvalidation data), 264, 267
XAdES-XL (XAdES-X with completevalidation data information), 264, 267
XAdES-A (XAdES-XL with one or moreembedded archival time stamps), 264, 268
XAdESArchiveTimestamp element, 290–291XAdES-C (XAdES-T with complete validation
data references), 264, 266XAdESCCompleteTimeStamp element,
287–288, 291XAdESCRefOnlyTimestamp element, 288, 291XAdES-T (XAdES with additional time
stamp), 264, 266XAdES-X (XAdES-C with extended validation
data), 264, 267XAdES-XL (XAdES-X with complete
validation data information), 264, 267Xalan package, 438–439XBULK, 334XHTML (Extensible Hypertext Markup
Language) Recommendation, 5XInclude (XML Inclusions), Version 1.0, 37X-KISS (Key Information Service Specifica-
tion), 320relieving clients of actions, 321services, 321–327
XKMS (XML Key Management Specification),10, 145
common data elements, 327–329cryptographic algorithms, 334–338namespace prefixes, 320respond strings, 330SOAP, 320, 324XML Key Management system, 319–320
XKMS Interoperability Web Service (.NET)Web site, 448
XKMS Note, 338XKMS WG (W3C XKMS working group), 339xkms:AssertionStatus element, 328xkms:AuthInfo element, 332xkms:KeyBinding element, 325–326, 331xkms:KeyBinding model, 324xkms:KeyBindingAuth element, 335–336xkms:KeyId element, 324–325xkms:KeyUsage element, 325xkms:PassPhrase element, 325xkms:PassPhraseAuth element, 335
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 528
xkms:ProcessInfo element, 325xkms:Prototype element, 325–326xkms:Query element, 325–326xkms:Reason element, 328–329xkms:Respond element, 322, 329xkms:ResultCode element, 324, 328xkms:ValidityInterval element, 324X-KRSS (Key Registration Service
Specification)all-purpose Register operation, 331key recovery, 331key registration messages, 331–334key revocation, 331parameters generated by registration
service, 334registration, 331
XLink (XML Linking Language), Version 1.0,37
XML (Extensible Markup Language), xvii, 3,479
1.0 (second edition), 36advantages and disadvantages, 6–7arbitrary-length integers, 213basics, 35–67canonicalization, 172–173case sensitivity, 41combining encryption with XMLDSIG,
368comments, 230design, 6design goals, 3encryption, 368encryption and Canonical XML, 178–180extensible style sheet, 7failure to canonicalize content, 249flexibility, 7goals, 5–6lack of automated processing libraries, 7mapping application parameter names into,
165–166meaning behind markup, 38namespace problems, 174–178need for security, 8–9origins, 4overview, 3–8parsing process, 39–40pointers, 127processing instructions, 230
Index ❘ 529
S
L
readable formatting, 173relation of SOAP, 146–147schema context, 212schema validation transform, 432sound, 38stylesheets, 63–67supporting variety of applications, 5syntax for marking up, 38usable over Internet, 5uses of, 8verbosity, 7video, 38white space problems, 173–174
XML Advanced Electronic Signatures, 263XML applications allowed syntax, 69XML Base, 37XML Canonicalization
node-sets, 241–242requires returning original prefix, 190XPath expressions, 242
XML canonicalization data model, 190–194XML declarations, 44–45XML Digital Signature applications, 406XML Digital Signature Software Library Web
site, 448XML Digital Signature standard, 246, 383, 397,
405, 422XML digital signatures, 334
complex form example, 237–239complex protocol example, 234–236examples, 230–239IOTP, 191key binding, 337private keys, 299simple document example, 232–233simple protocol example, 230–232SOAP messages, 259syntax, 211–230
XML documents, 36See also documentsaccessing content and structure, 39–40body, 37, 70comments, 51–52compared with HTML documents, 37–38compatibility between, 6DTD, 42ease of creation, 6elements, 45–47
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 529
XML documents (cont.)eliminating naming conflicts, 55entities, 43human-legible and clear, 6internal entities, 62logical structure, 37, 43–55markup, 70non-Unicode character codes, 38physical structure, 37, 43, 60–63prolog, 37, 70reading, 39–40structure, 43text, 38Unicode, 38valid, 39, 42–43well-formed, 39, 71XML markup, 38
XML elements, 359–361XML Encryption, 343–344, 378, 460
explicit interoperability testing, 437KeyInfo element, 295RetrievalMethod element, 306syntax, 346–358versioning, 347
XML Encryption interoperability matrix Web site, 438
XML Encryption Recommendation, 338XML Encryption standard, 346, 383, 397XML Encryption test vectors Web site, 442,
448XML Encryption Working Group site, 438xml entity, 61XML Key Management, 253XML Key Management protocol, 293XML Key Management system, 319–320XML namespaces, 55–60, 66, 353xml namespaces, 104
attribute inheritance, 188attributes, 196, 205–206special handling of attributes, 197
XML Namespaces Frequently Asked Questions(Bourret), 59
XML objects, general addressing of parts of,132–143
XML parser, 39–40XML preamble, 346xml prefix, 58XML processor, 39
530 ❘ Index
SNL
XML programs, 6XML Protocol Working Group, 160XML Recommendation, 36XML Schema advantages, 87XML Schema Validation, 432–433XML Sec Web site, 451XML security, standardization process, 10XML Security Library, 451XML Signature for Java, 439XML signatures
SignatureValue elements, 247verifying, 376–379
XML tags, 7XML Working Group, 4xml:base attribute, 130–132, 204XML-based canonicalization algorithms,
217XMLDSIG (XML Digital Signatures), 10, 191,
460basics, 207–211Canonical XML, 170combining with XML encryption, 368DTD context, 211–212explicit interoperability testing, 437KeyInfo element, 295links to P3P semantics, 254–255P3P use of, 257RetrievalMethod element, 306signature algorithms, 251SOAP, 259–262user-provided signature algorithms and
keying information designators, 251versioning, 213XML Digital Signatures, 207XML syntax, 209
XMLDSIG and Canonical XML product Web site, 446
XMLDSIG applicationshttp:access scheme, 221XPath, 240
XMLDSIG elements, 209–210, 214–215, 329XMLDSIG interoperability matrix Web site,
437XMLDSIG libraries, 246XMLDSIG namespace, 299, 346, 351, 425,
429XMLDSIG standard, 209, 245–249, 253, 300XMLDSIG working group, 88, 170
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 530
XMLDSIG Working Group site, 437, 438xmldsig:KeyInfo element, 322, 324–327xmldsig:KeyName element, 330xmldsig:KeyValue element, 330xmldsig:MgmtData element, 330xmldsig:PGPData element, 330xmldsig:RetrievalMethod element, 330xmldsig:RetrievalMethod type, 322xmldsig:SPKIData element, 330xmldsig:X509Data element, 330XMLENC (XML Encryption), 10XMLENC WG (XML Encryption Working
Group), 344XMLENCWG (XML Encryption Working
Group), 10xml:lang attribute, 48–49, 121, 205xmlns attribute, 57xmlns prefix, 58xmlns scheme, 134xml:space attribute, 49–50, 82, 205xml:space declaration, 178XPath, 99, 100
abbreviated notation, 112, 113–114applying to XML node-set, 193basics, 101Boolean functions, 121context, 114document order, 139DTDs (Document Type Definitions), 102equality operator, 429evaluation context, 136expression evaluation, 425–430expressions, 112–117extending, 132–143function library, 117–122, 140–143handling more general locations, 135here() function, 428location paths, 107–112locations, 135–136location-sets, 135–136node tests, 110, 137, 138node-set functions, 117–119node-sets, 101, 192–193, 378–379, 426number functions, 122point type, 136–137range types, 137–138searching on and matching exact prefix
names, 190
Index ❘ 531
S
L
SOAP, 261string functions, 119–120transform evaluation, 427transform example, 428–430transform input, 426transform output, 426–427transforms, 239–245union operator (|), 429XML declaration, 102XMLDSIG applications, 240
XPath algorithm, 394XPath applications, 192XPath data model, 99, 101, 190
attribute nodes, 104comment nodes, 107definitions, 240element nodes, 103–104extension of, 190namespace nodes, 104–105processing instruction nodes, 106root nodes, 102–103text nodes, 105–106
XPath element, 425–426XPath expressions, 101, 242XPath extensions, 135–140XPath Filtering algorithms, 425–430XPath node-set and root node, 102–103XPath (XML Path Language) Version 1.0, 37XPath-based Transform, 248XPointer, 37, 99, 100, 132
bare names, 135child sequences, 135document order, 139encoding, 132–133expressions, 134forms, 133–135full, 133–134functions, 140–143initialization of evaluation context,
139–140locating names, 135namespace context, 134namespace declaration, 134origin of link, 141same-document references, 241searching on and matching exact prefix
names, 190special characters, 132
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 531
XPointer (cont.)URI encoded, 133XPath extensions, 135–140
XPointer algorithms, 394, 431–432xpointer scheme, 134XPointers, 242–243xs:annotation element, 96xs:any element, 94–95xs:attribute element, 92, 94xs:element element, 91, 94xs:group element, 94xs:import element, 96xs:include element, 95XSL (Extensible Stylesheet Language), 37,
65–67
532 ❘ Index
SNL
XSL namespace, 66XSLT (XSL Transformations), 100
apply-templates command, 427searching on and matching exact prefix
names, 190Version 1.0, 37
XSLT algorithm, 394XSLT Transform algorithms, 430–431xs:redefine element, 96xs:schema element, 91–92, 95XTASS (XTML Trust Assertion Service
Specification), 11
ZZero key, 31–32
28946 02 p507-532 r3kp.ps 6/25/02 12:01 PM Page 532