W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2000

RE: Enveloped signatures and XPath

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Sun, 26 Mar 2000 04:31:07 -0500 (EST)
To: Mark Bartel <mbartel@thistle.ca>
cc: "'John Boyer '" <jboyer@PureEdge.com>, "'Petteri Stenius '" <Petteri.Stenius@remtec.fi>, "'IETF/W3C XML-DSig WG (E-mail) '" <w3c-ietf-xmldsig@w3.org>
Message-ID: <Pine.LNX.4.20.0003260405530.30235-100000@tux.w3.org>
On Fri, 24 Mar 2000, Mark Bartel wrote:
> kind of document definition?), or it must understand the XPath expression
> itself, and "know" that the expression is doing the right things.  It would
> be much simpler to verify that the exclusion was correct with an IDREF
> exclusion transformation.  "Does the signature itself have the exclusion id,
> yes or no?"

I'm not exactly sure what you mean by the IDREF exclusion transformation,
could you provide an example?
 
> I would like to see an exclusion mechanism that does not involve 
> XPath.  The
> fact that the XPath transform can do anything is precisely the reason
> for wanting a simpler transform that can't.
    
Which is why last time we discussed this we opted for the generality of
XPath, and a specific well defined instance for excluding SignatureValue,
which Petteri rightfully points out we haven't provided yet (though I
think this is a good path), but ...

> The big difference between the XPath approach and the plain link case is
> that the verifier is automatically verifying that the document matches the
> "document definition" when they evaluate the XPath; they can't do anything
> else.  In the plain link case, the verifier can choose not to test the
> document against the document definition.

I don't recall if this was part of the previous discussion. Something that
would've been nice to put in (and resolve) in the requirements document
was the necessity of validating the signature (in the XML sense): is the
DTD/schema necessary?

Regardless, Mark, if we provide the profiled Xpath instance for removing
SignatureValue, can't you still code your signature application to its
semantic (as you would do with the other solution) without needing the
DTD? (Find some string 'blah' and remove SignatureValue (be it an Xpath
string or something else.)  Or would the result of the XPath process
and the application 'hack' be intrinsically different (or hard to
make similar)? 

And is your concern about DTDs with respect to Signature applications not
knowing (I doubt this, not too hard to ask Signature applications to 
have the DTD/schema around), the fact that whichever XML toolkit you are
using doesn't require them, or the fact that in an Enveloped Signature you
(by definition) have content from different namespace, which DTDs don't
easily support? 
 
Received on Sunday, 26 March 2000 04:31:30 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:09 GMT