W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2000

RE: Enveloped signatures and XPath

From: Gregor Karlinger <gregor.karlinger@iaik.at>
Date: Wed, 29 Mar 2000 09:15:33 +0200
To: "John Boyer" <jboyer@PureEdge.com>, "Peter Lipp" <Peter.Lipp@iaik.at>
Cc: "''IETF/W3C XML-DSig WG (E-mail) ' '" <w3c-ietf-xmldsig@w3.org>
Message-ID: <NDBBIMACDKCOPBLEJCCDOEDLCEAA.gregor.karlinger@iaik.at>
  A question here: Why can't we simply exclude the entire Signature element?
  That's what Gregor and I have been discussing today. I would strongly
  that! I'd like to know if anything spoke against it.....

  > Sorry Peter, but that's not an accurate paraphrase.  It is quite
  > to be able to exclude certain elements, but that one requires a great
  > of precision in identifying what must be excluded to ensure that you are
  > excluding what you meant to exclude.
  > Exclusion by id excludes an element based on the value of a single
  > attribute, and this is not enough in most cases to accurately identify
  > information to be excluded, and to restrict one's exclusion to only that
  > information.

I will try to phrase more accurately than Peter ;-):

If an enveloped signature is to be constructed, then there obviously the
following problem occurs: One has to take care that (at least) tholse parts
of the Signature element are omitted which are not available at the time of
computing the reference's digest, which are the SignatureValue and the
DigestValue of the reference currently worked on.

The main point of my discussion with Peter yesterday was: What important
could be out there in the world that one cannot simply omit the Signature
element as a whole in such a case of an enveloped signature?

If there exist important data entities inside the Signature element that
should also be signed, why not simply add another references directly to
that items?

Neither Peter nor I are argueing against the XPath transform in general, but
feel that the spec should be kept as simple as possible if we don't buy
severe restrictions with such simplicity. And in my opinion omitting the
Signature element does not lead to any restrictions.

Regards, Gregor
Gregor Karlinger
Phone +43 316 873 5541
Institute for Applied Information Processing and Communications

Received on Wednesday, 29 March 2000 02:16:59 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:33 UTC