W3C home > Mailing lists > Public > public-xmlsec@w3.org > March 2011

Re: DSig2.0 examples V2.0

From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
Date: 25 Mar 2011 08:39:05 +0100
Message-ID: <4D8C4699.9080204@ruhr-uni-bochum.de>
To: Frederick.Hirsch@nokia.com
Cc: public-xmlsec@w3.org
Frederick, all,

see below

Am 24.03.2011 23:06, schrieb Frederick.Hirsch@nokia.com:
> Meiko, 
> Thanks for creating an example.
> I reviewed it and made the following changes, attached:
> 1. WS-Security uses wsse:Security as the security element within the SOAP header, so changed to that from nrns:SecurityHeader
I intentionally used a different syntax here, since we don't know yet
whether WS-Security will adapt XML Signature 2.0 or not. Stating an
example that already shows what WS-Security has to be like when using
XML Signature 2.0 may lead to confusions, especially if they decide to
use a different approach (say, a different way to use XPath for
selection), and our recommendation document then contains an invalid
example. I'd imagine this to be rather misleading.

However, if the working group decides not to consider this a problem,
I'm fine with having a WS-Security example.
> 2. Switched to using Security Token Reference from KeyValue to  binary security token (with DSA X509 cert).
Bruce already pointed me to the RSA algorthm but DSA KeyValues. Thanks
for correcting this.
> 3. Added explicit ds: prefix to all xml security elements as is common in SOAP examples
> 4. Added c14n2: prefix for C14N2 elements in two places.
> 5. changed dsig2:Verification DigestDataLength to "32" to reflect SHA-256 output length. Not sure where 175 came from, but am probably missing something obvious right now.
As far as I remember, the DigestDataLength was to state the length of
the digested data, not the length of the digest value. 175 reflected the
length of the canonicalized version of the selected parts of the
document (<ns0:operation>...</ns0:operation>). I'll do a recalculation
on your examples in the next days.
> 6. Changed soap body operation to be in the ex: namespace using example.com
> Probably introduced an error but did not declare ex: namespace before soap:Body even though used in XPath. Will this be an error?
Yep, the prefix "ex" is not bound at the text node of the XPath; this
should result in a processing error. Just add its binding to the
Envelope ;)

Thanks for the review.

best regards

> comment?
> regards, Frederick
> Frederick Hirsch
> Nokia
> On Mar 16, 2011, at 9:11 AM, ext Meiko Jensen wrote:
>> Dear all,
>> I found some time to reiterate my initial example for the DSig2.0
>> syntax. Again, I'm not claiming it to be complete nor correct, but
>> according to my understanding of what we specified so far, this is what
>> it should look like. Please note that for the sake of an example I
>> listed some c14n parameters even though they keep their default values
>> (and hence may also be omitted). I recommend developing a second example
>> for ID-based referencing, which should look somewhat similar, but for
>> now we at least should have something to start from.
>> cheers
>> Meiko
>> -- 
>> Dipl.-Inf. Meiko Jensen
>> Chair for Network and Data Security 
>> Horst Görtz Institute for IT-Security 
>> Ruhr University Bochum, Germany
>> _____________________________
>> Universitätsstr. 150, Geb. ID 2/411
>> D-44801 Bochum, Germany
>> Phone: +49 (0) 234 / 32-26796
>> Telefax: +49 (0) 234 / 32-14347
>> http:// www.nds.rub.de
>> <sig2example.txt>
Received on Friday, 25 March 2011 07:39:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:15 UTC