Enveloped signatures

I have a few comments on the discussion in [1] at the Victoria FTF.


I believe enveloped (aka. embedded) signatures will be a very common
scenario of applying XML signatures, and for this reason it should be simple
to support them in implementations. 

XPath transformation is very powerful, but implementing it is awkward and it
may be left out of implementations because it is not mandatory and for
security or other reasons. 

The result of the current XPath transform definition is something that (in
my opionion) cannot easilly be produced without actually fully implementing
XPath. 


A suggestion:

6.6.5 Signature Exclusion

Identifier: 
    http://www.w3.org/2000/02/xmldsig#exclude-signature

The transform excludes the ancestor Signature element of the DigestValue
element that is being calculated. The intention is to support enveloped
signatures where the DigestValue calculation would overlap with itself.



[1]
http://www.w3.org/Signature/Minutes/000420-Victoria/Overview.html#Identifier

More references to discussion on this topic:

http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0274.html
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0286.html
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0287.html
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0296.html


--
Petteri Stenius                            Petteri.Stenius@remtec.fi
Remtec Systems, Ltd.                           Office +358-9-5259240
                                                 Fax +358-9-52592411
http://www.remtec.fi/                         Mobile +358-50-5506161

Received on Wednesday, 10 May 2000 04:35:30 UTC