W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2000

RE: Enveloped signatures and XPath

From: John Boyer <jboyer@PureEdge.com>
Date: Wed, 29 Mar 2000 10:04:46 -0800
To: <gregor.karlinger@iaik.at>, "Peter Lipp" <Peter.Lipp@iaik.at>
Cc: "''IETF/W3C XML-DSig WG \(E-mail\) ' '" <w3c-ietf-xmldsig@w3.org>
Hi Gregor,

As I said in a prior email, I personally agree with automatic exclusion from
the DigestValue calculation of any signature element that will be ancestor
of the DigestValue.  This is what we did in XFDL since there seemed to be
little point in making everyone write the exclusion logic every time (all
signatures in XFDL are enveloped because the form is always the root).

The group previously discussed this, albeit briefly, and decided against.
There may be some minutes or archive feedback reflecting this, or it may not
have been recorded.

However, I am not willing to take a strong position on this because I think
that it is not hard for one's application to recognize a specific expression
*constructed by the application designer* to exclude the signature element
from the DigestValue calculation.  Thus, the application will function
without full XPath support, and will express its signatures in a way that
can be understood by other applications.  But if you want write a generic
piece of code that understands everyone's signatures, you are pretty much
required to implement the XPath transform, in which case the specific
expressions used by various applications will be supported by your generic

I believe this is the reason why the group did not want to make th exception
you are recommending.

John Boyer
Software Development Manager
PureEdge Solutions, Inc. (formerly UWI.Com)
Creating Binding E-Commerce

  A question here: Why can't we simply exclude the entire Signature element?
  That's what Gregor and I have been discussing today. I would strongly
  that! I'd like to know if anything spoke against it.....

  > Sorry Peter, but that's not an accurate paraphrase.  It is quite
  > to be able to exclude certain elements, but that one requires a great
  > of precision in identifying what must be excluded to ensure that you are
  > excluding what you meant to exclude.
  > Exclusion by id excludes an element based on the value of a single
  > attribute, and this is not enough in most cases to accurately identify
  > information to be excluded, and to restrict one's exclusion to only that
  > information.

I will try to phrase more accurately than Peter ;-):

If an enveloped signature is to be constructed, then there obviously the
following problem occurs: One has to take care that (at least) tholse parts
of the Signature element are omitted which are not available at the time of
computing the reference's digest, which are the SignatureValue and the
DigestValue of the reference currently worked on.

The main point of my discussion with Peter yesterday was: What important
could be out there in the world that one cannot simply omit the Signature
element as a whole in such a case of an enveloped signature?

If there exist important data entities inside the Signature element that
should also be signed, why not simply add another references directly to
that items?

Neither Peter nor I are argueing against the XPath transform in general, but
feel that the spec should be kept as simple as possible if we don't buy
severe restrictions with such simplicity. And in my opinion omitting the
Signature element does not lead to any restrictions.

Regards, Gregor
Gregor Karlinger
Phone +43 316 873 5541
Institute for Applied Information Processing and Communications
Received on Wednesday, 29 March 2000 13:03:35 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:33 UTC