W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2010

RE: When one-pass streaming is not possible...

From: Scott Cantor <cantor.2@osu.edu>
Date: Mon, 6 Sep 2010 13:08:04 -0400
To: "'Meiko Jensen'" <Meiko.Jensen@ruhr-uni-bochum.de>, "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Message-ID: <075101cb4de6$11e77770$35b66650$@osu.edu>
> Since the 2.0 mode disallows all kinds of transforms besides the new
> selection-c14n-v10n transform, how do we cope with enveloped signatures
> (and the enveloped-signature-transfom) in that case? Does a developer
> have to explicitly add an appropriate XPath expression in ExcludedXPath
> for the ds:Signature element? how does that one look like?
> "<ExcludedXPath> //ds:Signature </ExcludedXPath>" ? Is this streamable?
> Is this discussed somewhere in the spec / the best practices? I didn't
> find anything on a quick review....

I think what I was assuming would happen was that the c14n interface would
include an option to specify a signature node that would be excluded, as an
allowance for the fact that the main use case for c14n was signing. I don't
think that was done though, and I imagine that's DOM specific. If the only
SAX friendly way to do it is with an XPath anyway, it's probably pretty
immaterial whether it's an exclusion like any other, or a special one.

I would not want to see XPath made a requirement to handle enveloped
signatures, as my use cases are enveloped signatures using ID references
with DOM, and don't require an XPath processor at all. (I know you weren't
necessarily saying we had to, just wanted to be clear about my
requirements.)

We should probably create an issue for this.

-- Scott
Received on Monday, 6 September 2010 17:08:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 6 September 2010 17:08:40 GMT