W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

Re: enveloped-signature algorithm

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Fri, 07 Jul 2000 21:45:51 -0400
Message-Id: <3.0.5.32.20000707214551.019e1ea0@localhost>
To: Kevin Regan <kevinr@valicert.com>
Cc: w3c-ietf-xmldsig@w3.org
At 16:45 2000-07-07 -0700, Kevin Regan wrote:
 >
 >Is it necessary to have the:
 >
 >http://www.w3.org/2000/02/xmldsig#enveloping-signature
 >
 >algorithm?  Can't this simply be implied?  When would you
 >not want to exclude the enveloped Signature element from
 >the canonicalization step?  It seems like additional
 >complexity that is not really needed.
 
It isn't necessary for external or enveloped Signatures. Having it implied
buys little but potential ambiguity. Consider the behavior of a
canonicalization algorithm where this is implied and one is dealing with
nested enveloped/enveloping Signatures. John's approach of distinguishing
between evaluating-expressions-as-transforms, such as Signature's enveloping
signature:

   <XPath xmlns:dsig="&dsig;">
   (//. | //@* | //namespace::*)
   [
   count(ancestor-or-self::dsig:Signature |
here()/ancestor::dsig:Signature[1]) >
   count(ancestor-or-self::dsig:Signature)
   ]
   </XPath>

or canonicalization's internal/default:

        (//. | //@* | //namespace::*)[not(self::comment())] )

and actual node-set ordering to UTF-8 conversion is quite slick IMHO.

_________________________________________________________
Joseph Reagle Jr.   
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/
Received on Friday, 7 July 2000 21:47:11 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:10 GMT