W3C home > Mailing lists > Public > public-xmlsec-maintwg@w3.org > July 2008

[ACTION-16] ... proposal regarding use of transform that has parameter for passing xml model

From: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
Date: Tue, 29 Jul 2008 16:23:51 +0200
Message-ID: <488F27F7.6060005@iaik.tugraz.at>
To: XMLSec <public-xmlsec-maintwg@w3.org>
Dear all,

Some steps that - taking a first quick approach - could be sufficient to
make sure an enveloping signature V2 may respect the following order for
streaming processing:

1. Algorithms
2. Data
3. DigestValues and SignatureValues

Here is a quickly drafted proposal about how this could be achieved
using the current XMLDSIG syntax:

* create a reference that points to the data (the first child of a
specific transform), the URI SHOULD be supplied for compatibility.

e.g. URI = "#xmlns(ds=http://www.w3.org/2000/09/xmldsig#)xpointer(here()/ancestor::ds:Reference/ds:Transforms[1]/ds:Transform[1]/InlineXML[1]/child::node()[not(self::text())])"

* supply the data as a child of the first transform that is supposed to
be ignored by old applications and shall return the data contained as
its first child.

e.g. Algorithm="http://www.w3.org/2008/08/xmldsig#supply-data-transform"

* [optional] make sure it is not digested twice (ds:Reference Level &
ds:SignedInfoLevel, optional because the interpretation of conflicting
double digesting may be difficult in some legal frameworks)

e.g. Algorithm="http://www.w3.org/2008/08/xml-exc-c14n12#SkipDataTransform" (maybe use for forwards compatibility)

the only means we have for that is the ds:SignedInfo Level c14n, ...


a draft example often says more than thousand words.

<Signature Id="MyStreamingEnvelopingSignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> 
    <CanonicalizationMethod Algorithm="http://www.w3.org/2008/08/xml-exc-c14n12#SkipDataTransform"/> 
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> 
    <Reference URI="#xmlns(ds=http://www.w3.org/2000/09/xmldsig#)xpointer(here()/ancestor::ds:Reference/ds:Transforms[1]/ds:Transform[1]/InlineXML[1]/child::node()[not(self::text())])"> 
        <Transform Algorithm="http://www.w3.org/2008/08/xmldsig#supply-data-transform">
          <InlineXML xmlns="" xmlns:ds="" ... further undeclarations ... xmlns:*=""><!-- no space allowed/interpreted here --><MyData></MyData><!-- no space allowed/interpreted
 here --></InlineXML>
      <DigestMethod Algorithm="http://www.w3.org/2001/04//xmlenc/#/sha256/"/> 

Konrad Lanz, IAIK/SIC - Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Tel: +43 316 873 5547
Fax: +43 316 873 5520

Certificate chain (including the EuroPKI root certificate):

Received on Tuesday, 29 July 2008 14:24:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:58:44 UTC