W3C home > Mailing lists > Public > public-xmlsec@w3.org > November 2010

Updates to Signature 2.0

From: Pratik Datta <pratik.datta@oracle.com>
Date: Thu, 18 Nov 2010 16:15:27 -0800 (PST)
Message-ID: <c2498776-1e66-41ee-974e-65ac150fdbc8@default>
To: public-xmlsec@w3.org
Made the following updates

http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/   Version:  18th November 



ACTION-708 : Fix typo in XML Signature 2.0 in DigestDataLength description purpose c)

New text: The dsig2:Verification element


1. <dsig2:DigestDataLength> which is an integer that specifies the number of bytes that were digested in this reference. This can be used for multiple purposes, a) to debug digest verification failures, b) to indicate intentional signing of 0 bytes, this can happen if an XPath expression did not choose anything, c) to bypass the expensive digest calculation if during verification, the length of the byte array containing the canonicalized bytes doesn't match the DigestDataLength found in the reference.




ACTION-707 : Remove EnvelopedSignature from section 6.7.1,


6.7.1 Selection Type=http://www.w3.org/2010/xmldsig2#xml


4. Modify the selection to exclude the current signature subtree



ACTION-689  : Limit to xpath profile during xml signature 2.0 generation in 2.0 mode

New text: XPaths in 2.0 mode


The XPath expressions specified in the IncludedXPath and ExcludedXPath elements are "normal" XPath, i.e. they are not like the XPath in "Compatibility mode" XPath Filter transform which are evaluated as a binary expression. Instead these XPaths are a path to the root of the subtree being included or excluded. E.g. /book/chapter refers to the all chapter children of all book children of root node. The IncludedXPath element should only select element nodes, whereas the ExcludedXPath element can choose element or attribute nodes. Again this is consistent with the C14N 2.0 data model.


Only those XPath expressions defined in this profile of XPath 1.0 [XMLDSIG-XPATH] are allowed here. This profile includes most of the simple and commonly used XPath expressions but exludes those expressions that cannot be evaluated in a streaming mode. XPaths expressions disallowed by this profile must not be used in IncludedXPath and ExcludedXPath. It is of course not necessary to use a streaming XPath processor, one can use any XPath 1.0 processors to construct and verify signatures, just that the XPath expressions in the Signature need to conform to this profile, so that a streaming XPath processor may also be used to evaluate them.

Received on Friday, 19 November 2010 00:16:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:14 UTC