W3C home > Mailing lists > Public > public-xmlsec@w3.org > July 2008

[ACTION-16] ... proposal regarding use of transform that has parameter for passing xml model

From: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
Date: Tue, 29 Jul 2008 16:51:12 +0200
Message-ID: <488F2E60.3000507@iaik.tugraz.at>
To: public-xmlsec@w3.org
Dear all,

Some steps that - taking a first quick approach - could be sufficient to
make sure an enveloping signature V2 may respect the following order for
streaming processing:

1. Algorithms
2. Data
3. DigestValues and SignatureValues

Here is a quickly drafted proposal about how this could be achieved
using the current XMLDSIG syntax:

* create a reference that points to the data (the first child of a
specific transform), the URI SHOULD be supplied for compatibility.

e.g. URI =

* supply the data as a child of the first transform that is supposed to
be ignored by old applications and shall return the data contained as
its first child.

e.g. Algorithm="http://www.w3.org/2008/08/xmldsig#supply-data-transform"

* [optional] make sure it is not digested twice (ds:Reference Level &
ds:SignedInfoLevel, optional because the interpretation of conflicting
double digesting may be difficult in some legal frameworks)

(maybe use for forwards compatibility)

the only means we have for that is the ds:SignedInfo Level c14n, ...


a draft example often says more than thousand words.

<Signature Id="MyStreamingEnvelopingSignature"

          <InlineXML xmlns="" xmlns:ds="" ... further undeclarations ...
xmlns:*=""><!-- no space allowed/interpreted here
--><MyData></MyData><!-- no space allowed/interpreted
 here --></InlineXML>

Konrad Lanz, IAIK/SIC - Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Tel: +43 316 873 5547
Fax: +43 316 873 5520

Certificate chain (including the EuroPKI root certificate):

Received on Tuesday, 29 July 2008 14:51:54 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:09 UTC