Cryptographic authentication of VOEvents

Roy Williams roy at caltech.edu
Sun Sep 9 22:14:54 PDT 2012 

Norman
Thank you as always for your insightful remarks on signing XML.

When I sign a document with a pen, I am signing precisely that and 
nothing else. If the spelling of "color" is changed to "colour", then it 
is not the document that I signed. Yet if they scan or fax the document, 
it becomes a computer file, and yet the law regards this transformation 
as lossless, so the signature as valid. So what changes can be made to a 
VOEvent without invalidating the signature?

There are changes to the XML that do not change the meaning -- eg. the 
nature of the quote marks, as you point out. But there are wider changes 
that can be made, for example if there is a URL in the VOEvent, does it 
change the meaning to replace it with a different URL that has the same 
data at the end of it? This is what is wanted for caching of popular 
events. Or even changing the format: if the event is printed, and then 
the paper scanned, we have a JPEG representation (see above re paper and 
pens). More practically, some practitioners wish that VOEvent had been / 
will be rebuilt as a JSON file: is that now different enough to render 
the signature invalid? I guess it all depends if the transformation is 
sufficiently lossless of the meaning.

Of course you are right that changing the nature of the quote marks in 
XML is a lossless transformation. But it is the beginning of a slippery 
slope, a slope that many people want to slither down, that leads to a 
big Pandora's Box filled with Cans of Worms. If we can replace the quote 
marks in the XML, let's also replace the URLs, let's also change to 
JSON, etc etc. This is why, IMHO, we should attach the signature ONLY to 
the binary blob, or we will get into difficulties down the road, 
fighting over what is and is not a lossless transformation. To avoid 
this slippery slope, I suggest we decide (at least for now) that the 
signature applies ONLY to the binary blob, not to ANY transformation of 
the original?
Roy

---
Caltech LIGO
roy at caltech.edu
626 395 3670

More information about the voevent mailing list